3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide
146 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS
IP-based authentication even in the root authority. In this way, the system can also
be destroyed even though the response packet does not reach the system. This is
the IP Spoofing attack.
Land attack
Land attack is to configure both the source address and the destination address of
the TCP SYN packet to the IP address of the attack target. Thus, the target sends
the SYN-ACK message and sends back the ACK message to it, and then creates a
null connection. Each of the null connection will be saved till the timeout.
Different attack targets have different responses to the Land attack. For instance,
many UNIX hosts will crash and Windows NT hosts will be slowdown.
Smurf attack
The simple Smurf attack is to attack a network by sending an ICMP request to the
broadcast address of the target network. All the hosts in the network will respond
to the request. Network congestion thus occurs.
The advanced Smurf attack is mainly used to attack the target host by configuring
the source address of the ICMP packet to the address of the target host so as to
make the host crash finally. It takes certain traffic and duration to send the attack
packet to perform attack. Theoretically, the larger the number of the hosts is, the
more obvious the effect will be. Another new form of the Smurf attack is the
Fraggle attack.
WinNuke attack
WinNuke attack is to cause a NetBIOS fragment overlap by sending Out-Of-Band
(OOB) data packets to the NetBIOS port (139) of the specified target installed with
the Windows system so as to make the target host crash. There are also IGMP
fragment packets. Because IGMP packets cannot be fragmented generally, few
systems can solve the attack caused by IGMP fragment packets thoroughly.
SYN flood attack
Because of the limited resources, TCP/IP stacks only permit a restricted number of
TCP connections. Based on the above defect, the SYN Flood attack forges an SYN
packet whose source address is a bogus or non-existent address and initiates a
connection to the server. Accordingly, the server will not receive the ACK packet
for its SYN-ACK packet, which forms a semi-connection. A large number of
semi-connections will exhaust the network resources so that normal clients cannot
access the network until the semi-connections are timeout. The SYN Flood attack
also takes effect in the applications whose connection number is not limited to
consume the system resources such as memories.
ICMP and UDP flood attack
ICMP and UDP Flood attack is to send a large number of ICMP messages (such as
ping) and UDP packets to the specific target in a short time so as to make the
target system not be able to transmit valid packets normally.
Address/port scanning attack
Address/port scanning attack is to detect the target address and port with
scanning tools to make sure the active system connected with the target network
if it receives responses from the system and the port through which the host
provides services.