Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
391392393394395396397398399400
4-106
Firewall
Attack Checking
Because SYN packets are a legitimate part of establishing a session, the TMS zl
Module cannot simply screen out these packets. However, when you enable
the SYN Flooding attack check, the firewall filters forged requests when 80%
of allocated connections have been consumed.
Source Routing
A source-routing attack is used to access private network devices. Typically,
data packets sent over a network are surrendered to network devices for
routing. Routers and other network devices work together to deliver the
packet with the lowest number of hops and in the least amount of time.
However, packets can also be routed by the sender, using source routing.
“Strict” source routing requires the sender to specify the exact route of the
packet. “Loose” source routing allows the sender to designate as few as one
node through which the packet must travel.
Generally, source routing use is limited to network administrators who are
checking the connectivity of network devices. By forcing a packet to route
through a particular device, the administrator confirms that a device is con-
nected because the packet is not dropped.
Source routing can also be used by an attacker to:
Map a network
By specifying the exact route each packet must take, an attacker can
eventually determine the location of the end device and all devices in
between. If the packet is delivered, the attacker’s assumptions about
device locations are validated. If it is not delivered, the attacker knows
that there is a mistake in the route. This network map information can
then be used to launch a DoS attack.
Access private devices
Many devices use private network addresses, which makes them inacces-
sible to devices that connect through the Internet. An attacker can get
data to the private device by sending a packet to a global address, but then
require the packet to route through a private device. The attacker may
then be able to use other techniques, such as spoofing, to convince the
device to share private data and sensitive information.
You can prevent this sort of attack by enabling the source routing attack check
on the TMS zl Module so that it will drop all source-routed packets.