Efficient Networks 5200 Series, 5500 Series, 5400 Series manual Background, Types of Attack

Page 41

SpeedStream Router User Guide

Packets with spoofed source addresses are commonly sent to smaller hosts, not with the intent of bringing down a particular computer, but rather to take down a large host through a mechanism called Distributed Denial of Service (DDoS). In this situation, when a huge number of computers are used to request services, those services are rendered unavailable because of the traffic load.

The ADS generates a log entry for a particular type of attack once per minute. Consequently, there will be multiple entries for long-term attacks. This lets the user know the period of time that the attack persisted.

Background

TCP/IP (Transmission Control Protocol/Internet Protocol) is the “language” computers that make up the Internet (called hosts) use to talk to each other. Basically, TCP and IP dictate the meaning of two sets of tags (or headers) that are added to user data before being sent. An IP header contains a destination address and a source address that tell all of the hosts delivering the data where it is supposed to go, much like an envelope for an inter-office memo. A TCP header is similar to a subject line on the memo: it contains information that allows the recipient to quickly figure out what the data is and where it goes once the IP “envelope” has been removed. The combination of a block of data and its associated TCP and IP headers is often referred to as a packet.

The part of a host that writes and reads the TCP and IP headers is called a network stack. Almost all network stacks have flaws in them (some more than others!) due to intolerance to improper or invalid headers. This can result in a variety of problems from computer crashes to security breaches. While newer protocols attempt to address these issues (e.g., IPSec), the current version of IP, called IPv4, will be here to stay for some time, flaws and all. This is where the SpeedStream Attack Detection System (ADS) comes in.

Types of Attack

The two most common attack types are unauthorized access and Denial of Service (DoS). Someone guessing your login password is one example of unauthorized access; unfortunately, an external device like the SpeedStream router is unable to do much to prevent that except perhaps have a firewall rule that limits which hosts may log in. The SpeedStream ADS, however, can block attempts by external (WAN) hosts to “impersonate” a LAN host in order to gain access to weakly protected data services on other LAN connected computers.

DoS attacks take several forms, but the basic intended effect is the same: to prevent a host from accessing other hosts, or preventing other hosts from accessing it. In effect, this kicks the host off the Internet. One type of DoS attack sends more data to a host than its connection can handle. Little can be done about this attack without having the Internet Service Provider block it upstream.

Another type of DoS attack attempts to crash the host by sending bad data to its network stack. The SpeedStream ADS as described below can filter several popular incarnations of this attack. One way in which the bad data is created is by spoofing, or modifying, the source address in the IP header. Normally, when a host sends a packet to another host, it puts its address in the IP header so the other host knows where it came from.

While most small users will never be on the receiving end of a direct DoS attack, a new twist to the DoS does quite often take advantage of broadband-connected Internet hosts. Instead of attempting to generate enough data to flood a large Internet host’s connection, a would-be attacker instead “convinces” hundreds or thousands of other hosts to do it for him. This is called a Distributed Denial of Service (DDoS). Several

33

Image 41
Contents Router User Guide Software License General Provisions Contents Viewing Status Screens Iii 51-57 List of IllustrationsSpeedStream Router User Guide Hardware Description IntroductionAbout the SpeedStream Router Features and BenefitsSession Tracking General Safety GuidelinesFirewall Security Hardware Installation Installing the RouterBasic Installation Procedure Minimum System RequirementsIn-Line Filter Installing Line FiltersRecording System Settings Two-to-One Adapter Connecting the CablesWall-Mount Filter Ethernet Installation Method USB Installation Method TCP/IP Properties dialog box displays Configuring Computer Network SettingsWindows 95 / 98 / ME TCP/IP Properties dialog box, click the IP Address tab Windows NT Double-clickNetwork and Dial-up Connections WindowsWindows XP Navigating the Web Interface Getting StartedLevel SnoozeLog Screen Navigation ElementsIP Filter Rules To log on to the Web interface for the first time Logging On to the Web InterfaceLogging On to a PPP Session Entering the Network PasswordService Name Access ConcentratorTo specify the host configuration settings Customizing Router SettingsClick Save Settings HostDhcp Configuration Options To specify the Dhcp configuration settings To change the user name or password User Setup System LoginTo configure the Time Client Time Client Configuration OptionsTime Client Static RoutesTo disable NAT and Napt To access the NAT/NAPT Configuration screenTo enable NAT and specify a destination IP address NAT/NAPT ServerPort Forwarding Port Forwarding Configuration OptionsTo enable Napt To delete an existing entry To edit an existing port forwarding configurationTo delete all entries in the table To add a port forwarding entryFirewall Security Levels FirewallFirewall Snooze Control DMZ SettingsDMZ Configuration Options To enable DMZ and specify an accessible computer On the Firewall DMZ Configuration screen, click Disable DMZ To disable DMZCustom IP Filter Rules Cloning a Rule DefinitionCustom IP Filter Configuration Firewall Simple Setup screenCreating Custom IP Filter Rules Fill in the following informationIf TCP/UDP chosen in , select the desired rule options Select a protocol to filterSpecify Source Port Operator options Specify Destination Port Operator optionsTypes of Attack BackgroundADS Configuration Options Select Enable Attack Detection To enable ADSTo save the new settings To filter, or drop, a packet typeRFC2684 RFC2684 Configuration OptionsTo configure RFC2684 settings UPnP Configuration Options Bridge ModeTo configure UPnP settings UPnP Universal Plug and PlayRIP Routing Information Protocol RIP Configuration OptionsTo enable bridge mode System Log To configure RIP settingsLAN Servers To configure the System Log RebootSystem Log Configuration Options Firmware Update ResetTo reset the router To update the router firmwareClick Run Diagnostics at the bottom of the screen DiagnosticsTo cancel the reset System Summary Viewing Status ScreensFirewall Log Interface MapTo display the Interface Map Interface Map Interface Map screen displaysStatus and Statistics Screens To update the displayATM/AAL Status/Statistics To display the System Log screenEthernet Status/Statistics DSL Status/StatisticsRoutes USB Status/StatisticsInterpreting the LED Display TroubleshootingBasic Troubleshooting Steps Pwr LED Not Lit Resolving Specific IssuesContacting Technical Support Attack Detection System Configuration Data SheetsAdministrative User Setup Firewall Custom IP Filter Configuration Firewall DMZ Firewall Snooze Control Firewall LevelPPP Login Static Route RIPUPnP Technical Specifications Protocol Firewall Security LevelsNeed for Speed VNC Acronyms Acronyms and Technical ConceptsMAC address Rx ErrorsOctet PPPoETechnical Concepts Dhcp Dynamic Host Configuration Protocol Icsa 3.0a-compliancy PPP Point-to-Point Protocol Index Data Sheets See Configuration Data Sheets PPP Network TCP