SpeedStream Router User Guide

Packets with spoofed source addresses are commonly sent to smaller hosts, not with the intent of bringing down a particular computer, but rather to take down a large host through a mechanism called Distributed Denial of Service (DDoS). In this situation, when a huge number of computers are used to request services, those services are rendered unavailable because of the traffic load.

The ADS generates a log entry for a particular type of attack once per minute. Consequently, there will be multiple entries for long-term attacks. This lets the user know the period of time that the attack persisted.

Background

TCP/IP (Transmission Control Protocol/Internet Protocol) is the “language” computers that make up the Internet (called hosts) use to talk to each other. Basically, TCP and IP dictate the meaning of two sets of tags (or headers) that are added to user data before being sent. An IP header contains a destination address and a source address that tell all of the hosts delivering the data where it is supposed to go, much like an envelope for an inter-office memo. A TCP header is similar to a subject line on the memo: it contains information that allows the recipient to quickly figure out what the data is and where it goes once the IP “envelope” has been removed. The combination of a block of data and its associated TCP and IP headers is often referred to as a packet.

The part of a host that writes and reads the TCP and IP headers is called a network stack. Almost all network stacks have flaws in them (some more than others!) due to intolerance to improper or invalid headers. This can result in a variety of problems from computer crashes to security breaches. While newer protocols attempt to address these issues (e.g., IPSec), the current version of IP, called IPv4, will be here to stay for some time, flaws and all. This is where the SpeedStream Attack Detection System (ADS) comes in.

Types of Attack

The two most common attack types are unauthorized access and Denial of Service (DoS). Someone guessing your login password is one example of unauthorized access; unfortunately, an external device like the SpeedStream router is unable to do much to prevent that except perhaps have a firewall rule that limits which hosts may log in. The SpeedStream ADS, however, can block attempts by external (WAN) hosts to “impersonate” a LAN host in order to gain access to weakly protected data services on other LAN connected computers.

DoS attacks take several forms, but the basic intended effect is the same: to prevent a host from accessing other hosts, or preventing other hosts from accessing it. In effect, this kicks the host off the Internet. One type of DoS attack sends more data to a host than its connection can handle. Little can be done about this attack without having the Internet Service Provider block it upstream.

Another type of DoS attack attempts to crash the host by sending bad data to its network stack. The SpeedStream ADS as described below can filter several popular incarnations of this attack. One way in which the bad data is created is by spoofing, or modifying, the source address in the IP header. Normally, when a host sends a packet to another host, it puts its address in the IP header so the other host knows where it came from.

While most small users will never be on the receiving end of a direct DoS attack, a new twist to the DoS does quite often take advantage of broadband-connected Internet hosts. Instead of attempting to generate enough data to flood a large Internet host’s connection, a would-be attacker instead “convinces” hundreds or thousands of other hosts to do it for him. This is called a Distributed Denial of Service (DDoS). Several

33

Page 41
Image 41
Efficient Networks 5200 Series, 5500 Series, 5400 Series manual Background, Types of Attack