Chapter 8: Firewall LANCOM Reference Manual LCOS 3.50
163
Firewall
during the attack and, moreover, the owner of the falsified address cannot
receive normal data any more during the attack. If the falsified sender address
is the broadcast address of the second network, also all workstations are
blocked in this network, too.
In th is c ase the DoS rec ogn iti on o f th e LA NCO M bl ock s pa ssi ng p ack ets , wh ich
are addressed to the local broadcast address.
LAND
The land attack is a TCP packet that is sent with set SYN flag and falsified
sender address to the victim workstation. The bottom line is that the falsified
sender address is equal to the address of the victim. With an unfortunate
implementation of TCP, the victim interprets the sent SYN-ACK again as SYN,
and a new SYN-ACK is sent. This leads to a continuous loop, which lets the
workstation freeze.
In a more up to date variant, the loopback address “127.0.0.1” is taken as
sender address, but not the address of the attacked workstation. Sense of this
deception is to outwit personal firewalls, which react in fact to the classical
variant (sender address = destination address), but which pass through the
new form without hindrance. This variant is also recognized and blocked by a
LANCOM.
Ping of Death
The Ping of Death belongs to those attacks, which use errors when frag-
mented packets are reassembled. This functions as follows:
In the IP header there is a field "fragment offset" that indicates in which place
the received fragment is to be assembled into the resulting IP packet. This field
is 13 b its l ong a nd gi ves t he of fset in 8 byte steps, and can form an offset from
0 to 65528. With a MTU on the Ethernet of 1500 bytes, an IP packet can be
made up to 65528 + 1500 - 20 = 67008 bytes. This can lead to an overrun of
internal counters or to buffer overruns, and thus it can provoke the possibility
to the aggressor of implementing own code on the victim workstation.
In this case, the Firewall offers two possibilities:
Either, the Firewall reassembles the entire incoming packet and examines its
integrity, or solely the fragment which goes beyond the maximum packet size
is rejected. In the first case, the Firewall itself can become the victim when its
implementation was incorrect. In the second case "half" reassembled packets
accumulate at the victim, which are only rejected after a certain time, whereby