Features

Smurf Attack

A “smurf” attack involves an attacker sending ICMP echo requests from a falsified source (a spoofed address) to a directed broadcast address, causing all hosts on the target subnet to reply to the falsified source. By sending a continuous stream of such requests, the attacker can create a much larger stream of replies, inundating the host whose address is being falsified.

The XSR protects against smurf attacks by turning off directed broadcast and turning on check- spoofing. Refer to Configuring IP” on page 5-1and the XSR CLI Reference Guide for more information on IP directed broadcast.

Fraggle Attack

A “fraggle” attack involves a UDP Echo-directed broadcast. It is similar to a smurf attack but differs in that it uses UDP instead of ICMP packets.

The XSR protects against a fraggle attack by turning off directed broadcast and turning on check- spoofing. Refer to Configuring IP” on page 5-1.

IP Packet with Multicast/Broadcast Source Address

This type of attack involves an illegal IP packet. Because XSR interfaces are programmed to discard these packets, no user configuration is necessary.

Spoofed Address Check

This feature allows spoofing of IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on.

SYN Flood Attack Mitigation

Also known as a Denial of Service (DoS) attack, this involves a hacker flooding a server with a barrage of requests for access to unreachable return addresses. Since the return addresses are unreachable, the connections cannot be built and the ensuing volume of unresolved open connections eventually overwhelms the server, causing service denial to valid requests. A SYN flood attack against the XSR is defended by the router not checking transit packets.

This feature is always enabled, and the maximum number of TCP sessions allowed is set at run time, depending on the number of TCP applications running, and the maximum number of sessions each of them could have. Any connection attempt above this number is denied.

Fragmented and Large ICMP Packets

The XSR offers these features to filter ICMP traffic based on IP data length, IP offset, and IP fragmentation bits. They apply to packets destined for the XSR. Transit packets will not be checked.

Fragmented ICMP Traffic

This protection is triggered for ICMP packets with the “more fragments” flag set to 1, or an offset indicated in the offset field. Such packets are dropped by the XSR if the protection is enabled with the HostDoS command.

XSR User’s Guide 16-3

Page 389
Image 389
Enterasys Networks X-PeditionTM manual Smurf Attack, Fraggle Attack, IP Packet with Multicast/Broadcast Source Address