McAfee Firewall
Common attacks recognized by IDS
The following table lists attacks recognized by McAfee Firewall’s IDS, a description of each attack, and the risk factor assigned to each attack.
Attack | Description | Risk |
|
| Factor |
|
|
|
1234 | Also known as the Flushot attack, an attacker sends an oversize ping | Medium |
| packet that networking software could not handle. Usually, computers |
|
| hang or slows down. If a total lockup occurs, unsaved data may be lost. |
|
|
|
|
Back Orifice | Back Orifice is a back door program for Windows 9x written by a group | High |
| calling themselves the Cult of the Dead Cow. This back door allows |
|
| remote access to the machine once installed, allowing the installer to run |
|
| commands, get screen shots, modify the registry, and perform other |
|
| operations. Client programs to access Back Orifice are available for |
|
| Windows and UNIX. |
|
|
|
|
Bonk | Designed to exploit an implementation error in the first Teardrop patch | High |
| released by Microsoft, this attack is basically a |
|
| the original Teardrop attack. |
|
|
|
|
Fraggle | This attack is a UDP variant of the Smurf attack. By sending a forged UDP | High |
| packet to a particular port on a broadcast address, systems on the |
|
| “amplifier” network will respond to the target machine with either a UDP |
|
| response or an ICMP UNREACHABLE packet. This flood of incoming |
|
| packets results in a denial of service attack against the target machine. |
|
|
|
|
IP Spoofing | IP spoofing involves sending data with a falsified return IP address. There | Medium |
| is nothing inherently dangerous about spoofing a source IP address, but |
|
| this technique can be used in conjunction with others to carry out attacks |
|
| TCP session hijacking, or to obscure the source of denial of service |
|
| attacks (SYN flood, PING flood, etc.). |
|
|
|
|
Jolt | A remote denial of service attack using specially crafted ICMP packet | High |
| fragments. May cause slowdowns or crashes on target systems. |
|
|
|
|
Jolt 2 | A remote Denial of Service (DoS) attack similar to Jolt that uses specially | High |
| crafted ICMP or UDP packet fragments. May cause slowdowns or crashes |
|
| on target systems. |
|
|
|
|
Land | This attack is performed by sending a TCP packet to a running service on | High |
| the target host, with a source address of the same host. The TCP packet |
|
| is a SYN packet, used to establish a new connection, and is sent from the |
|
| same TCP source port as the destination port. When accepted by the |
|
| target host, this packet causes a loop within the operating system, |
|
| essentially locking up the system. |
|
|
|
|
Nestea | This attack relies on an error in calculating sizes during packet fragment | High |
| reassembly. In the reassembly routine of vulnerable systems, there was a |
|
| failure to account for the length of the IP header field. By sending carefully |
|
| crafted packets to a vulnerable system, it is possible to crash the target. |
|
|
|
|
86 McAfee Internet Security 5.0
