Manualshelf

R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
12345678910
5
Packet inspection configuration
NOTE:
The firewall supports configuring packet inspection only in the web interface.
Packet inspection overview
A single-packet attack, or malformed packet attack, occurs when either of the following events occurs:
An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system, making the target system malfunction or crash when processing such
packets.
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
The packet inspection feature allows the firewall to analyze the characteristics of received packets to
determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event
and, when configured, blocks the packet.
The firewall supports detection of the following types of single packet attacks.
Table 4 Supported single packet attack types
Attack t
yp
e Descri
p
tion
Fraggle
A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with
the UDP port number being 7 or Chargen packets with the UDP port number being 19,
resulting in a large quantity of junk replies and finally exhausting the bandwidth of the
target network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses being the IP address of the target,
exhausting the half-open resources of the victim and disabling the target from providing
services normally.
WinNuke
A WinNuke attacker sends out-of-band (OOB) data with the pointer field values
overlapped to the NetBIOS port (139) of a Windows system with an established
connection to introduce a NetBIOS fragment overlap, causing the system to crash.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating system.
If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
ICMP unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the destination.
By sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the
connection between the target host and the network.
ICMP redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing
table, interfering with the normal forwarding of IP packets.