Manuals / Efficient Networks / Computer Equipment / Network Router

Efficient Networks 5100 Series manual ADS Configuration Options

Models: 5100 Series

1 129
Download 129 pages 36.15 Kb
Page 85
Image 85

SpeedStream Router User Guide

enough data to flood a large Internet host’s connection, a would-be attacker instead “convinces” hundreds or thousands of other hosts to do it for him. This is called a Distributed Denial of Service (DDoS). Several viruses can turn a host into a remote-controlled “zombie,” although some attacks can simply use a host’s network stack to do the job if it is too trusting. The SpeedStream ADS monitors this behavior.

ADS Configuration Options

The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts from the WAN:

Same Source and Destination Address (a.k.a. Land Attack):

This packet has a spoofed source IP address set to be the same as the destination host and can result in the DoS or crash of the local host. When the receiving host tries to respond to the source address in the packet, it ends up just sending it back to itself. This packet could ping-pong back and forth over 200 times (consuming CPU resources) before being discarded.

Broadcast Source Address (a.k.a. Smurf or Fraggle Attack):

This packet has a spoofed source IP address set to the “broadcast” address. Most hosts only accept packets destined for their own IP address, but there are a couple of special IP address called broadcast addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a packet’s source address, however, because a packet has to come from a host. If a network stack does respond to a packet with a broadcast source address, the response will be sent to the broadcast address on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would then respond back to the host flooding it with data, possibly making inaccessible to other users.

LAN Source Address On WAN:

This packet has a spoofed source address set to be a typical trusted LAN address. One method of separating a LAN from a WAN is by using NAPT. This allows the LAN to use IP addresses that are normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN attacks. A packet with a LAN source address coming from the WAN is attempting to masquerade as a LAN packet so that it might be trusted by a LAN host and received.

Invalid IP Packet Fragment (a.k.a. Ping of Death):

IP packets can be large. If a link between two hosts transporting a packet can only handle smaller packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments get to the destination host, they must be reassembled into the original large packet like pieces of a puzzle. If each stage of reassembly is not carefully checked by the receiving host’s network stack, a specially crafted invalid fragment can cause the host to crash.

TCP NULL Flags:

The TCP header contains a set of “flags” that indicate information about the packet which is used by receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet, none was. This packet can cause some hosts to crash.

TCP FIN Flag:

The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to crash.

75

Page 84 Page 86
Page 85
Image 85
Efficient Networks 5100 Series manual ADS Configuration Options
Page 84 Page 86