ADTRAN 1000R Series Attack Protection:, Invalid Traffic Pattern Manually Enabled? AOS Firewall Response Common , Attacks

Command Reference Guide Global Configuration Mode Command Set

Case 4: Packets from interfaces without a configured policy class to other interfaces

without a configured policy class

This traffic is routed normally. The ip firewall command has no effect on this traffic.

Attack Protection:

When the ip firewall command is enabled, firewall attack protection is enabled. The AOS

blocks traffic

(matching patterns of known networking exploits) from traveling thro ugh the device. For some of these

attacks, the user may manually disable checking/blocking while other attack checks are always on anytime

the firewall is enabled.

The tabl e (on the following pages) outlines the types of traffic discarded by the firewall attack protec tion

engine. Many attacks use similar invalid traffic patterns; therefore attacks other than the examples listed

below may also be blocked by the firewall. To determine if a specific attack is blocked by the AOS

firewall,

please contact ADTRAN technical support.

Invalid Traffic Pattern Manually

Enabled? AOS Firewall Response Common

Attacks

Larger than allowed packets No Any packets that are longer than those

defined by standards will be dropped. Ping of Death

Fragmented IP packets that

produce errors when attempting

to reassemble

No The firewall intercepts all fragments for an IP

packet and attempts to reassemble them

before forwarding to destination. If any

problems or errors are found during

reassembly, the fragments are dropped.

SynDrop,

TearDrop,

OpenTear,

Nestea, Targa,

Newtear , Bonk,

Boink

Smurf Attack No The firewall will drop any ping responses that

are not part of an active session. Smurf Attack

IP Spoofing No The firewall will drop any packets with a

source IP address that appears to be

spoofed. The IP route table is used to

determine if a path to the source address is

known (out of the interface from which the

packet was received). For example, if a

packet with a source IP address of

10.10.10.1 is received on interface fr 1.16

and no route to 10.10.10.1 (through interface

fr 1.16) exists in the route table, the p acket is

dropped.

IP Spoofing

ICMP Control Message Floods

and Attacks No The following types of ICMP packets are

allowed through the firewall: echo,

echo-reply, TTL expired, dest. Unreachable,

and quench. These ICMP messages are

only allowed if they appear to be in response

to a valid session. All others are discarded.

Twinge