SpeedStream Router User Guide
viruses can turn a host into a
ADS Configuration Options
The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts from the WAN:
•Same Source and Destination Address (a.k.a. Land Attack):
This packet has a spoofed source IP address set to be the same as the destination host and can result in the DoS or crash of the local host. When the receiving host tries to respond to the source address in the packet, it ends up just sending it back to itself. This packet could
•Broadcast Source Address (a.k.a. Smurf or Fraggle Attack):
This packet has a spoofed source IP address set to the “broadcast” address. Most hosts only accept packets destined for their own IP address, but there are a couple of special IP address called broadcast addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a packet’s source address, however, because a packet has to come from a host. If a network stack does respond to a packet with a broadcast source address, the response will be sent to the broadcast address on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would then respond back to the host flooding it with data, possibly making inaccessible to other users.
•LAN Source Address On WAN:
This packet has a spoofed source address set to be a typical trusted LAN address. One method of separating a LAN from a WAN is through the use of NAPT. This allows the LAN to use IP addresses that are normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN attacks. A packet with a LAN source address coming from the WAN is attempting to masquerade as a LAN packet so that it might be trusted by a LAN host and received.
•Invalid IP Packet Fragment (a.k.a. Ping of Death):
IP packets can be fairly large in size. If a link between two hosts transporting a packet can only handle smaller packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments get to the destination host, they must be reassembled into the original large packet like pieces of a puzzle. If each stage of reassembly is not carefully checked by the receiving host’s network stack, a specially crafted invalid fragment can cause the host to crash.
•TCP NULL Flags:
The TCP header contains a set of “flags” that indicate information about the packet which is used by receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet, none were. This packet can cause some hosts to crash.
•TCP FIN Flag:
The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to crash.
•TCP Xmas Flags:
The TCP Xmas flag configuration is an invalid combination of the FIN, URG and PUSH flags. This packet can cause some hosts to crash.
34
