HP VPN Firewall Appliances Attack Protection Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Attack t

e Descri

tion

Source Route

A source route attack exploits the source route option in the IP header to probe the

topology of a network.

Smurf

A Smurf attacker sends large quantities of ICMP echo requests to the broadcast

address or the network address of the target network. As a result, all hosts on the

target network will reply to the requests. This causes network congestions, and

hosts on the target network cannot provide services.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP

flag attacker sends TCP packets with such TCP flags to a target to probe its

operating system. If the operating system cannot process such packets correctly,

the attacker will successfully make the host crash down.

Tracert

The Tracert program typically sends UDP packets with a large destination port

number and an increasing TTL (starting from 1). The TTL of a packet is decreased

by 1 when the packet passes each router. When a router gets a packet with a TTL

of 0, the router must send an ICMP time exceeded message back to the source IP

address of the packet. A Tracert attacker exploits the Tracert program to figure out

the network topology.

WinNuke

A WinNuke attacker sends out-of-band data with the pointer field values

overlapped to the NetBIOS port (139) of a Windows system with an established

connection to introduce a NetBIOS fragment overlap. This causes the system to

crash.

SYN Flood

A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the

number of TCP connections that can be created on a device is limited. A SYN

flood attacker sends a barrage of spurious SYN packets to a victim to initiate TCP

connections. As the SYN_ACK packets that the victim sends in response can never

get acknowledgments, large amounts of half-open connections are created and

retained on the victim. This makes the victim inaccessible before the number of

half-open connections drops to a reasonable level due to timeout of half-open

connections. In this way, a SYN flood attack exhausts system resources such as

memory on a system whose implementation does not limit creation of

connections.

ICMP Flood

An ICMP flood attack overwhelms the victim with an enormous number of ICMP

echo requests (such as ping packets) in a short period. This prevents the victim

from providing normal services.

UDP Flood

A UDP flood attack overwhelms the victim with an enormous number of UDP

packets in a short period. This disables the victim from providing normal services.

DNS Flood

A DNS flood attack overwhelms the victim with an enormous number of DNS

query requests in a short period. This disables the victim from providing normal

services.

Number of

connections per

source IP exceeds the

threshold

When an internal user initiates a large number of connections to a host on the

external network in a short period of time, system resources on the device are

used up soon. This makes the device unable to service other users.

Number of

connections per dest

IP exceeds the

threshold

If an internal server receives large quantities of connection requests in a short

period of time, the server is not able to process normal connection requests from

other hosts.