R3166-R3206-HP High-End Firewalls Attack Protection Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

Attack t

e Descri

tion

Source Route

A source route attack exploits the source route option in the IP header to probe the

topology of a network.

Smurf

A Smurf attacker sends large quantities of ICMP echo requests to the broadcast

address of the target network. As a result, all hosts on the target network will reply to

the requests, causing the network congested and hosts on the target network unable to

provide services.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flag

attacker sends TCP packets with such TCP flags to a target to probe its operating

system. If the operating system cannot process such packets properly, the attacker will

successfully make the host crash down.

Tracert

The Tracert program usually sends UDP packets with a large destination port number

and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the

packet passes each firewall. Upon receiving a packet with a TTL of 0, a firewall must

send an ICMP time exceeded message back to the source IP address of the packet. A

Tracert attacker exploits the Tracert program to figure out the network topology.

WinNuke

A WinNuke attacker sends out-of-band (OOB) data with the pointer field values

overlapped to the NetBIOS port (139) of a Windows system with an established

connection to introduce a NetBIOS fragment overlap, causing the system to crash.

SYN Flood

A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number

of TCP connections that can be created on a firewall is limited. A SYN flood attacker

sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the

SYN_ACK packets that the victim sends in response can never get acknowledgments,

large amounts of half-open connections are created and retained on the victim, making

the victim inaccessible before the number of half-open connections drops to a

reasonable level due to timeout of half-open connections. In this way, a SYN flood

attack exhausts system resources such as memory on a system whose implementation

does not limit creation of connections.

ICMP Flood

An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo

requests (such as ping packets) in a short period, preventing the victim from providing

services normally.

UDP Flood

A UDP flood attack overwhelms the victim with an enormous number of UDP packets in

a short period, disabling the victim from providing services normally.

Number of

connections per

source IP exceeds the

threshold

When an internal user initiates a large number of connections to a host on the external

network in a short period of time, system resources on the firewall will be used up soon.

This will make the firewall unable to service other users.

Number of

connections per dest

IP exceeds the

threshold

If an internal server receives large quantities of connection requests in a short period of

time, the server will not be able to process normal connection requests from other

hosts.