R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

461

462

463

464

465

466

467

468

469

470

448

Scanning attacks

Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows the

attacker to find a way into the target network and to disguise the attacker's identity.

Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that are

running on the hosts. Attackers can use the information to launch attacks.

The device can detect and prevent the IP sweep and port scan attacks. If an attacker performs port

scanning from multiple hosts to the target host, distributed port scan attacks occur.

Flood attacks

An attacker launches a flood attack by sending a large number of forged requests to the victim in a short

period of time. The victim is too busy responding to these forged requests to provide services for legal

users, and a DoS attack occurs.

The device can detect and prevent the following types of flood attacks:

• SYN flood attack.

A SYN flood attacker exploits the TCP three-way handshake characteristics and makes the victim

unresponsive to legal users. An attacker sends a large number of SYN packets with forged source

addresses to a server. This causes the server to open a large number of half-open connections and

respond to the requests. However, the server will never receive the expected ACK packets. The

server is unable to accept new incoming connection requests because all of its resources are

bound to half-open connections.

• ACK flood attack.

An ACK packet is a TCP packet with only the ACK flag set. Upon receiving an ACK packet from

a client, the server must search half-open connections for a match.

An ACK flood attacker sends a large number of ACK packets to the server. This causes the server

busy searching for half-open connections, and the server is unable to process packets for normal

services.

• SYN-ACK flood attack.

Upon receiving a SYN-ACK packet, the server must search for the matching SYN packet it has sent.

A SYN-ACK flood attacker sends a large number of SYN-ACK packets to the server. This causes

the server busy searching for SYN packets, and the server is unable to process packets for normal

services.

• FIN flood attack.

FIN packets are used to shut down TCP connections.

A FIN flood attacker sends a large number of forged FIN packets to a server. The victim might shut

down correct connections, or be unable to provide services because it is busy searching for

matching connections.

• RST flood attack.

RST packets are used to abort TCP connections when TCP connection errors occur.

An RST flood attacker sends a large number of forged RST packets to a server. The victim might

shut down correct connections, or be unable to provide services because it is busy searching for

matching connections.

• DNS flood attack.

The DNS server processes and replies all DNS queries that it receives.