Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
331332333334335336337338339340
4-90
Firewall
Attack Checking
Figure 4-61. ICMP Blind Connection-Reset Attack
Blind throughput-reduction attacks
Source Quench messages are sent if a router or host does not have the
buffer space needed to sequence the packets for the next network device
or if they are sent too fast for the receiving device to process. This message
is a request for the sender to slow the rate at which packets are sent. An
attacker can forge a Source Quench message, which causes a significant
decrease in throughput.
Blind performance-degrading attacks
A small Path Maximum Transmission Unit (small PMTU) message urges
the server to send the data in smaller packets. An attacker can forge a
small PMTU attack to force the sender to send large amounts of data using
very small packets, which overloads the server and severely reduces
server performance.
Enable the ICMP Error Messages attack check to drop all ICMP error messages.
SYN Flooding
SYN flood attacks exploit the process of establishing a TCP/IP session. In a
normal session, the initiator sends a SYN packet, the responder returns a
SYN/ACK packet, and the initiator replies with an ACK packet. In a SYN flood
attack, the attacker repeatedly sends SYN packets but does not reply to the
responder’s SYN/ACK packets. The attacker may also specify an unreachable
source address, so that the responder’s SYN/ACK are never received. The
responder holds the TCP connection open, waiting for ACKs that do not come.
Eventually, the SYN flood attack monopolizes all of the target host’s resources,
creating a denial of service. (See Figure 4-62.)