Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
471472473474475476477478479480
6-9
Intrusion Detection and Prevention
IDS/IPS Concepts
Protocol Anomalies
It is possible to generate packets that follow a protocol’s specifications but
have no legitimate purpose. These packets are referred to as protocol anom-
alies because the protocol is being used in a way that is inconsistent with
common practice, not because the packet causes network traffic to deviate
from normal behavior.
Attackers can exploit protocol anomalies to get around protections, to put
characteristics of a protocol to unforeseen (and illegitimate) uses, or simply
to crash systems that do not know how to treat the anomaly.
Often exploited protocols are ICMP, IP, TCP, and UDP. Two examples of
protocol anomaly attacks are:
Teardrop attack
The attacker exploits the fragmentation of IP packets. Packets are inten-
tionally fragmented with overlapping offset fields (the field that deter-
mines the fragment’s position in the original packet). The conflicting
offset values cause the receiving device to crash when it attempts to
reassemble the packets.
Land attack
The attacker exploits the TCP protocol by sending a stream of TCP SYN
packets that have the same source and destination IP addresses and TCP
port number. This creates an unending loop of traffic as the network
device tries to establish a session with itself. All available resources
become consumed by the looped traffic, causing a denial of service.
Note Because protocol anomaly attacks exploit protocol specifications, they are
sometimes referred to as protocol exploitation attacks. This guide will refer
to them only as protocol anomaly attacks.
Traffic Information
Traffic information attacks affect the way network traffic travels through the
network. The most common traffic information attack is the buffer overflow
attack. In this attack, the attack convinces a program to store information even
after it has reached it’s buffering threshold. As a result, the device overwrites
adjacent buffers, overwriting or corrupting the data held in the adjacent
buffers. The “extra” data that the program is buffering may also contain
malicious code.