Chapter

DoS Attack Protection

10

 

 

 

Table 64 lists DoS protection features supported in Brocade ICX 6650. These features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where noted.

TABLE 64 Supported DoS protection features

Feature

Brocade ICX 6650

 

 

Smurf attack (ICMP attack) protection

Yes

 

 

TCP SYN attack protection

Yes

 

 

This chapter explains how to protect your Brocade devices from Denial of Service (DoS) attacks.

In a Denial of Service (DoS) attack, a device is flooded with useless packets, hindering normal operation.Brocade devices include measures for defending against two types of DoS attacks Smurf attacks and TCP SYN attacks.

Smurf attacks

A Smurf attack is a kind of DoS attack in which an attacker causes a victim to be flooded with Internet Control Message Protocol (ICMP) echo (Ping) replies sent from another network. Figure 14 illustrates how a Smurf attack works.

FIGURE 14 How a Smurf attack floods a victim with ICMP replies

1Attacker sends ICMP echo requests to broadcast address on Intermediary’s network, spoofing Victim’s IP address as the source

Attacker

2 If Intermediary has directed broadcast

 

 

 

forwarding enabled, ICPM echo requests

 

 

Victim

are broadcast to hosts on Intermediary’s

 

 

 

network

 

 

 

Intermediary

3The hosts on Intermediary’s network send replies to Victim, inundating Victim with ICPM packets

The attacker sends an ICMP echo request packet to the broadcast address of an intermediary network. The ICMP echo request packet contains the spoofed address of a victim network as its source. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2 broadcast and sent to the hosts on the intermediary network. The hosts on the intermediary network then send ICMP replies to the victim network.

Brocade ICX 6650 Security Configuration Guide

267

53-1002601-01

 

Page 287
Image 287
Brocade Communications Systems 6650 manual Smurf attacks, How a Smurf attack floods a victim with Icmp replies