Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
411412413414415416417418419420
6-11
Intrusion Detection and Prevention
Overview
Exploits
Unlike protocol anomaly attacks that exploit protocol weaknesses, these
attacks exploit weaknesses or vulnerabilities in software and hardware.
Attackers use these vulnerabilities to gain control of a computer system in
order to access confidential information or data or degrade network perfor-
mance. Exploits attacks are usually discovered, though the time to discovery
varies greatly, and software companies release patches to protect the software
from the exploit. Exploit attacks are often used to launch viruses and worms.
Web browsers are the most commonly exploited software. The most critical
Web browser exploit allows attackers to execute code remotely while a host
visits a malicious Web page or reads a malicious email. Web browsers are
especially vulnerable because their exploits have been made publicly avail-
able on the Internet. Furthermore, attacks using weaknesses in Microsoft
Internet Explorer have been used to exploit vulnerabilities in other core
Windows components.
Denial of Service
A denial-of-service (DoS) attack occurs when an attacker is able to overwhelm
a network’s resources such as bandwidth or processing power. Because the
attacker is monopolizing network resources, users with legitimate needs are
unable to access the network and denied network services. One common DoS
attack is ICMP/UDP ping smurfing or fraggling.
Ping smurfing or fraggling
Using ICMP or UDP echo packets, ping smurfing or fraggling involves
sending pings to a broadcast IP address. Ping smurfing uses ICMP echoes,
and ping fraggling uses UDP packets.
In an attack, the ping source IP address is spoofed to be that of a crucial
network device. Because the ping destination IP address is a network
broadcast address, every network device receives the ping and generates
a reply packet. In a large network, the number of simultaneous pings can
quickly overwhelm the network device.
In many DoS attack cases, the only way to regain occupied network resources
is to trace the source of the attack and stop the triggers. Finding the source
of a straightforward SYN flood can be somewhat difficult, but not impossible.
However, the new, sophisticated techniques of distributed and reflected DoS
attacks allow an attacker to better disguise the attack source.