Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
391392393394395396397398399400
4-104
Firewall
Attack Checking
An attacker can launch an ICMP error message attack by impersonating an
end or intermediate device and repeatedly replaying an error message.
Because the TCP protocol includes fault recovery responses for ICMP mes-
sages, replaying the messages causes the transfer protocol to perpetually try
to correct the error, which results in a DoS.
ICMP error messages can be used to launch several types of attacks:
Blind connection-reset attacks
The TCP fault-recovery policy for a “hard error” is to reset the connection.
A couple examples of hard errors are the Destination Unreachable and Time
Exceeded messages. Destination Unreachable messages are sent when the
network cannot be reached. An attacker can send a forged Destination
Unreachable to a client; this message will interrupt the TCP connection,
which results in DoS for the client.
Figure 4-69. ICMP Blind Connection-Reset Attack
Blind throughput-reduction attacks
Source Quench messages are sent if a router or host does not have the
buffer space needed to sequence the packets for the next network device
or if they are sent too fast for the receiving device to process. This message
is a request for the sender to slow the rate at which packets are sent. An
attacker can forge a Source Quench message, which causes a significant
decrease in throughput.
Blind performance-degrading attacks