Manuals / ZyXEL Communications / Computer Equipment / Network Router

ZyXEL Communications 792H manual Types of DoS Attacks, Common IP Ports

Models: 792H

1 428

Download 428 pages 12.67 Kb

Page 124

Prestige 792H G.SHDSL Router

Table 8-1 Common IP Ports

21	FTP	53	DNS
23	Telnet	80	HTTP
25	SMTP	110	POP3

8.4.2 Types of DoS Attacks

There are four types of DoS attacks:

1.Those that exploit bugs in a TCP/IP implementation.

2.Those that exploit weaknesses in the TCP/IP specification.

3.Brute-force attacks that flood a network with useless data.

4.IP Spoofing.

1."Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems.

1-a Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65,536 bytes of data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system. Systems may crash, hang or reboot.

1-b Teardrop attack exploits weaknesses in the re-assembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

2.Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These attacks are executed during the handshake that initiates a communication session between two applications.

8-4

Firewalls

Image 124

ZyXEL Communications 792H manual Types of DoS Attacks, Common IP Ports

Contents

Prestige 792H Page Disclaimer TrademarksPage Certifications Page Information for Canadian Users Page ZyXEL Limited Warranty Safety WarningsPage Customer Support Page Table of Contents LAN Setup WAN SetupDynamic DNS Setup Firewall Configuration Customized Services 11-1Content Filtering 12-1 Creating Custom Rules 10-114-1 15-1Maintenance 17-1 General Setup 19-1WAN Setup 20-4 Dial Backup 21-122-1 23-124-1 25-1Filter Configuration 28-1 Snmp Configuration 29-1System Maintenance 30-1 Firmware and Configuration File Maintenance 31-1System Maintenance and Information 32-1 IP Policy Routing 33-1Call Scheduling 34-1 Remote Management 35-1VPN/IPSec Setup 36-1 Troubleshooting 39-1SA Monitor 37-1 Internal Sptgen 38-1List of Figures Xviii List of Figures List of Figures Xix Diagnostic General 17-8 List of Figures Xxi Xxii List of Figures List of Figures Xxiii Xxiv List of Figures List of Figures Xxv Page List of Tables List of Tables Xxvii Xxviii List of Tables 28-15 Xxx List of Tables Page Related Documentation Syntax ConventionsXxxii Preface Introduction to DSL Introduction to G.SHDSLPart Page Features of the Prestige Symmetrical High Speed Internet AccessGetting to Know Your G.SHDSL Router ScalabilityIPSec VPN Capability FirewallTraffic Redirect Snmp Simple Network Management Protocol versions 1SUA for Single-IP Address Internet Access IP AliasIP Policy Routing 10/100MB Auto-negotiation Ethernet/Fast Ethernet InterfaceUpgrade Firmware via LAN Ease of InstallationUniversal Plug and Play UPnP Full Network ManagementApplication Scenarios for the Prestige Internet AccessLAN-to-LAN Application Web Configurator Overview Introducing the Web ConfiguratorAccessing the Prestige Web Configurator Navigating the Prestige Web Configurator Password ScreenConfiguring Password Resetting the Prestige Label DescriptionUsing The Reset Button Uploading a Configuration File Via Console PortPage Wizard Setup Wizard Setup IntroductionWAN Setup Service TypeStandard Mode EncapsulationTransfer Rates PPP over EthernetMultiplexing PPPoA4 RFC VC-based MultiplexingWizard Setup Configuration First Screen VPI and VCIServer see Service Type Rate and the same Transfer Min RateIP Address and Subnet Mask PPPoEVPI VCIIP Address Assignment IP Assignment with PPPoA or PPPoE EncapsulationIP Assignment with Enet Encap Encapsulation IP Assignment with RFC 1483 EncapsulationPrivate IP Addresses Nailed-Up Connection PPP Wizard Setup Configuration ISP Parameters10 NAT Internet Connection with PPPoA Internet 11.2 RFC Internet Connection with RFCInternet Connection with Enet Encap Enet EncapPPPoE Internet Connection with PPPoEDhcp Setup Wizard Setup Configuration LAN Configuration IP Pool SetupWizard Screen LAN COnfiguration Wizard LAN ConfigurationWizard Setup Configuration Connection Tests Test Your Internet Connection Wizard Screen Connection TestsPage LAN Setup LAN OverviewDNS Server Address LANs, WANs and the PrestigeDNS Server Address Assignment LAN TCP/IPFactory LAN Defaults RIP SetupIP Address and Subnet Mask MulticastConfiguring LAN LANTCP/IP LAN WAN Overview WAN SetupMetric PPPoE Encapsulation Traffic Shaping Configuring WAN Setup Example of Traffic ShapingWAN Setup ATM traffic. Enter the VCI assigned to you For remote node setup, enter the IP address in the same Subnet as the remote nodeTraffic Redirect Encap in the Encapsulation fieldConfiguring WAN Backup Traffic Redirect LAN SetupWAN Backup Cost WAN , Traffic Redirect , Dial Backup Outgoing Authentication Protocol38400 , 57600 , 115200 or 230400 bps Configuring Advanced WAN Backup Advanced WAN Backup 57600 , 115200 or 230400 bps Choose RIP-1,RIP-2B or RIP-2M Choose Both, In Only or Out OnlyAT Command Strings Connection settingsConfiguring Advanced Modem Setup DTR SignalResponse Strings Advanced Modem Setup Clid NmbrPart Page Network Address Translation NAT NAT OverviewNAT Definitions What NAT DoesHow NAT Works NAT ApplicationNAT Mapping Types NAT Application With IP AliasSUA Single User Account Versus NAT Mapping typesNAT Mapping Types Type IP Mapping SMT AbbreviationPort Forwarding Services and Port Numbers SUA ServerConfiguring Servers Behind SUA Example Services and Port NumbersServices Port Number EchoSelecting the NAT Mode Multiple Servers Behind NAT ExampleConfiguring SUA Server Edit SUA/NAT Server Set Configuring Address Mapping Address Mapping Rules Many-to-One and Server mapping typesEditing an Address Mapping Rule Address Mapping Rule EditAddress Mapping Rules screen Page Dynamic DNS Setup Configuring Dynamic DNSDynamic DNS Dyndns WildcardDdns Firewall and Content Filter Page Firewalls Firewall OverviewTypes of Firewalls Packet Filtering FirewallsIntroduction to ZyXEL’s Firewall Stateful Inspection FirewallsDenial of Service BasicsTypes of DoS Attacks Common IP PortsThree-Way Handshake Icmp Commands That Trigger Alerts Legal NetBIOS Commands Legal Smtp CommandsStateful Inspection Message Request Positive Negative Retarget KeepaliveStateful Inspection Process Stateful InspectionStateful Inspection and the Prestige TCP Security 4 UDP/ICMP SecurityUpper Layer Protocols Guidelines for Enhancing Security with Your FirewallSecurity In General Packet Filtering Vs Firewall Packet FilteringWhen To Use Filtering FirewallPrestige 792H G.SHDSL Router Remote Management and the Firewall Firewall ConfigurationEnabling the Firewall Configuring E-mail Alerts E-mailDaily Weekly Hourly When Log is Full None Attack AlertThreshold Values AlertsHalf-Open Sessions TCP Maximum Incomplete and Blocking Time Alert Following table describes the labels in this screen256 Page Rule Checklist Study these points carefully before configuring rulesCreating Custom Rules Rules OverviewSecurity Ramifications Key Fields For Configuring RulesBlock means the firewall silently discards the packet Connection Direction LAN to WAN RulesLogs WAN to LAN RulesFirewall Logs Label Description ExampleRule Summary Block, Forward or NoneFirewall Rules Summary First Screen Predefined Services Predefined Services Service DescriptionRLOGINTCP513 NEWSTCP144NNTPTCP119 PINGICMP0Creating/Editing Firewall Rules Creating/Editing a Firewall Rule Source and Destination Addresses Timeout Range Address , Subnet Address and Any AddressFactors Influencing Choices for Timeout Values Timeout10-16 Creating Custom Rules Customized Services Introduction to Customized ServicesCreating/Editing a Customized Service Creating/Editing a Customized ServiceExample Custom Service Firewall Rule Click Rule Summary under Internet to Local Network SetConfigure Source IP Example Syslog Rule Configuration Example Rule Summary Example Content Filtering Overview Content FilteringConfiguring Keyword Blocking Content Filter Keyword Configuring the Schedule Content Filter ScheduleConfiguring Trusted Computers Content Filter TrustedConfiguring Logs Content Filter LogsBLOCKJAVAAPPLET, BLOCKCOOKIE, Blockproxy BLOCKUNTRUSTDOMAIN, BLOCKKEYWORD, BlockactivexBlockcybernot VPN/IPSec Page Introduction to IPSec VPN OverviewIPSec Security AssociationVPN Applications Data Origin AuthenticationData Integrity IPSec Architecture VPN ApplicationIPSec Algorithms Key ManagementTunnel Mode Transport ModeIPSec and NAT VPN and NAT Security Protocol Mode NATESP AH Authentication Header Protocol VPN Screens14.1 VPN/IPSec Overview IPSec AlgorithmsMy IP Address Secure Gateway AddressDynamic Secure Gateway Address AH and ESPVPN Summary Screen IPSec Summary FieldsVPN Summary ID Type and Content Keep AliveID Type and Content Examples Local ID Type and Content FieldsPeer ID Type and Content Fields Local ID TYPE= CONTENT=Matching ID Type and Content Configuration Example Mismatching ID Type and Content Configuration ExamplePre-Shared Key Editing VPN PoliciesVPN IKE VPN Screens 14-9 14-10 VPN Screens VPN Screens 14-11 Authentication Algorithm fields described next IKEIKE Phases Two Phases to Set Up the IPSec SANegotiation Mode Diffie-Hellman DH Key Groups14.11Configuring Advanced IKE Settings Perfect Forward Secrecy PFSVPN IKE Advanced Label Description VPN IKEVPN Screens 14-17 14-18 VPN Screens 14.12Manual Key Setup Security Parameter Index SPI14.13Configuring Manual Key VPN Manual KeySPI 14-22 VPN Screens VPN Screens 14-23 14.14Viewing SA Monitor SA Monitor 10 SA Monitor14.15Configuring Global Setting 11 Global Setting14.16Configuring IPSec Logs 12 VPN Logs13 Sample IKE Key Exchange Logs LOG Message Description14 Sample IPSec Logs During Packet Transmission Request conflict with rule #d15 RFC-2408 Isakmp Payload Types LOG Display Payload TypeTelecommuters Sharing One VPN Rule Example 14.17Telecommuter VPN/IPSec ExamplesHeadquarters Telecommuters Telecommuters Using Unique VPN Rules Example All Headquarters Rules All Telecommuter Rules14.18VPN and Remote Management Remote Management and UPnP Remote Management Configuration Remote Management OverviewRemote Management Limitations Remote Management and NATSystem Timeout Telnet15.3 FTP 15.4 WebConfiguring Remote Management Remote ManagementHow do I know if Im using UPnP? Universal Plug-and-Play UPnPUniversal Plug and Play Overview NAT TransversalConfiguring UPnP Accessing the Prestige Web Configurator to Configure UPnPUPnP and ZyXEL Installing UPnP in Windows Example Field DescriptionInstalling UPnP in Windows Me Double-clickNetwork Connections Installing UPnP in Windows XPOptional Networking Component Using UPnP in Windows XP Example Auto-discover Your UPnP-enabled Network DeviceInternet Connection Properties Click start and then Control Panel Web Configurator Easy Access ExampleConnections Select My Network Places under Other Places UPnP 16-9 Maintenance Page Maintenance Overview MaintenanceSystem Status Screen System Status VPI/VCI System Statistics System Status Show StatisticsMaintenance 17-5 Dhcp Table Screen Dhcp TableDiagnostic General Screen Diagnostic ScreensMAC Diagnostic General Diagnostic DSL Line Screen Prestige 792H G.SHDSL RouterFirmware Upgrade Firmware ScreenNetwork Temporarily Disconnected SMT General Configuration Procedure for SMT Configuration via Console Port Procedure for SMT Configuration via TelnetEntering Password Introducing the SMTLogin Screen Prestige SMT Menu OverviewPrestige Menu Overview Main Menu Commands Navigating the SMT InterfaceOperation Keystroke Description ? or ChangeMeMain Menu Summary System Management Terminal Interface SummaryMenu Title Description Changing the System Password Menu 23 System PasswordGeneral Setup General SetupConfiguring Menu Field Description Example Configure Menu 1.1 Configure Dynamic DNS discussed nextYes Configuring Dynamic DNS UserPage WAN Setup Screen From the main menu, enter 2 to open menu20-5 Dial Backup Overview Dial BackupConfiguring Dial Backup in Menu Advanced WAN Setup Enter to go to Menu 2.1 Advanced Setup115200 9600, 19200, 38400, 57600, 115200 or 230400 bpsField Description Default Nmbr =Advanced WAN Port Setup Call Control Parameters Remote Node Profile Backup ISPConnect Remote Node Profile Backup ISP CHAP/PAPPress Enter to go to Menu 11.3 Remote Node Network Editing TCP/IP Options Editing PPP OptionsOtherwise select Standard PPP Enter to open Menu 11.3 Network Layer Options NATEditing Filter Sets BothBoth/ None /In Only /Out Only and None RIP-1Menu 11.5 Remote Node Filter Ethernet Ethernet Setup LAN Port Filter SetupIP Alias Setup TCP/IP and Dhcp SetupBoth , In Only or Out Only Route IP SetupRIP-2B or RIP-2M 22.1.4 TCP/IP Ethernet Setup and Dhcp General SetupRIP-1 Both Both, In Only, Out Only or NoneRIP-1,RIP-2B or RIP-2M 22-6 Internet Access Overview Internet AccessInternet Access Setup Enet Encap Or Enet EncapLLC-based UBRDynamic SUA OnlyAdvanced Applications Remote Node Setup Remote Node ConfigurationRemote Node Overview Remote Node Setup Encapsulation and Multiplexing ScenariosThen the Rem Login, Rem Password, My Login, My Based or LLC-basedChap To display Menu 11.3 Remote Node Network Layer OptionsTo display Menu 11.6 Remote Node ATM Layer Options Allocated Budget is 10 minutes and the Period hrRemote Node Network Layer Options RemoteStatic My WAN Addr Sample IP Addresses Options are Both, In Only, Out Only or NoneRemote Node Filter Sample IP Addresses for a TCP/IP LAN-to-LAN ConnectionVC-based Multiplexing non-PPP Encapsulation Editing ATM Layer OptionsPress Enter to open Menu 11.6 Remote Node ATM Layer Options LLC-based Multiplexing or PPP Encapsulation Menu 11.6 for LLC-based Multiplexing or PPP EncapsulationStatic Route Setup Static Route OverviewStatic Route Setup Edit IP Static Route Page Bridging Setup Bridge Ethernet SetupRemote Node Bridging Setup Bridging OverviewBridge Static Route Setup Remote Node Bridging OptionsBridge Static Route Setup 26-4 Bridging Setup Applying NAT Applying NAT for Internet Access NAT Setup Full FeatureAddress Mapping Sets Enter 1 to bring up Menu 15.1 Address Mapping SetsAddress Mapping Sets Address Mapping Rules SUAUser-Defined Address Mapping Sets Field Desription Example NatsetEdit Global Start/End IPsSelect Rule item For Server One-to-OneTo-One,Many-to-One and Server types NAT Server Sets NAT Server Setup Example 1 Internet Access Only General NAT Examples11 NAT Example Example 2 Internet Access with an Inside Server 13 NAT ExampleExample 3 Multiple Public IP Addresses With Inside Servers 14 NAT Example 2 Menu15 NAT Example 17 Example 3 Menu Enter 2 in Menu 15 NAT Setup Example 4 NAT Unfriendly Application Programs 19 Example 3- Menu21 Example 4 Menu 22 Example 4 Menu Advanced Management Page Filter Configuration About FilteringOutgoing Packet Filtering Process Execute Filter Rule Filter Rule ProcessFilter Set Configuration Filter Structure of the PrestigeNetBios WAN Filter Rules Summary TelnetWAN Filter Rules Summary Ftpwan Filter Rules Summary Filter Rules Summary Menus Abbreviations Used in the Filter Rules Summary MenuFilter Rule Configuration Rule Abbreviations UsedFilter Type Description GENTCP/IP Filter Rule 28.3.1 TCP/IP Filter RuleChoices are TCP/IP Filter Rule or Generic Filter Rule Choices are None , Less , Greater , Equal or Not Equal TCP/IP Filter RuleIf More is Yes , then Action Matched and Action Not Check Next Rule, Forward or Drop Check Next RuleChoices are Check Next Rule, Forward or Drop 12 Executing an IP Filter Generic Filter Rule 13 Generic Filter RuleGeneric Filter Rule Menu Fields Filter Types and NAT Example Filter15 Sample Telnet Filter 16 Sample Filter Rules Summary Menu 17 Sample Filter Rules Summary Menu Applying Filters and Factory Defaults Ethernet TrafficFilter Sets Table Filter Sets DescriptionRemote Node Filters 19 Filtering Ethernet TrafficPage Snmp is only available if TCP/IP is configured Snmp ConfigurationSnmp Overview Snmp Configuration Supported MIBsSnmp Traps Snmp TrapsSnmp Trap # Trap Name Description29-4 Snmp Configuration System Maintenance Overview System MaintenanceSystem Status System Maintenance Status System Information System InformationWAN Menu 1 General Setup LANLog and Trace Viewing Error LogConsole Port Speed Sample Error and Information Messages SyslogParameter Description System Maintenance Menu Syslog ParametersCDR Diagnostic System Maintenance DiagnosticSystem Maintenance Menu Diagnostic Page Firmware and Configuration File Maintenance Filename ConventionsFilename Conventions Backup ConfigurationFile Type Internal External Name Description Using the FTP Command from the Command Line Backup ConfigurationExample of FTP Commands from the Command Line General Commands for GUI-based FTP Clients Command DescriptionGUI-based FTP Clients Tftp and FTP over WAN Will Not Work WhenTftp Command Example Backup Configuration Using TftpGUI-based Tftp Clients Backup Via Console Port General Commands for GUI-based Tftp ClientsRestore Configuration Backup Configuration ExampleRestore Using FTP System Maintenance Restore ConfigurationRestore Using FTP Session Example Restore Via Console PortUploading Firmware and Configuration Files Firmware File UploadConfiguration File Upload 13 System Maintenance Upload System FirmwareFTP Session Example of Firmware File Upload FTP File Upload Command from the DOS Prompt ExampleTftp File Upload Tftp Upload Command Example Uploading Via Console PortExample Xmodem Firmware Upload Using HyperTerminal Uploading Firmware File Via Console PortUploading Configuration File Via Console Port Example Xmodem Configuration Upload Using HyperTerminal19 Example Xmodem Upload System Maintenance and Information Command Interpreter ModeCall Control Support Budget ManagementBudget Management Time and Date Setting System Maintenance Time and Date SettingTime and Date Setting Fields Resetting the TimeNTP RFC-1305 is similar to Time RFC-868 Page IP Policy Routing IP Policy Routing OverviewIP Policy Routing Benefits Routing PolicyIP Routing Policy Setup IP Routing Policy SetupService Abbreviation MeaningCriterion ActionDelay, Max Thruput, Min Cost or Max Reliable G tApplying an IP Policy Ethernet IP PoliciesLess, Greater, Less or Equal or Greater or Equal Matched33-6 IP Policy Routing IP Policy Routing Example Example of IP Policy RoutingIP Routing Policy Example Applying IP Policies Page Call Scheduling Schedule SetupCall Scheduling Overview Schedule Set Setup Once Forced OnApplying Schedule Sets to a Remote Node PPPoE Remote Management and FTP Services Remote Management and Telnet ServicesRemote Management Remote Management Setup Remote Management and Web ServicesDisabling Remote Management Remote Management ControlSystem Timeout Remote Management and NATSMT VPN/IPSec and Internal Sptgen VPN/IPSec Setup 36.1 VPN/IPSec OverviewMenu 27 VPN/IPSec Setup IPSec Summary ScreenTunnel ESP DES MD536-4 VPN/IPSec Setup IPSec Setup Menu 27.1.1 IPSec Setup IPSec SummaryGateway Address field below Address field set to SingleSubnet Manual Setup IKE Setup 3Menu 27.1.1.1 IKE SetupField Description ExampleDH1 DESMD5 Manual Setup Mode Security ProtocolActive Protocol Active Protocol Encapsulation and Security ProtocolMenu 27.1.1.2 Manual Setup ESP TunnelVPN/IPSec Setup 36-15 Page SA Monitor Using SA MonitorSA Monitor Overview ESP DES TaiwanRefresh Viewing IPSec Log Diagram 37-1 Example VPN Responder IPSec LogVPN Responder IPSec Log Page Internal Sptgen Configuration Text File FormatInternal Sptgen Overview 38-2 Internal Sptgen Invalid Parameter Entered Command Line Example Internal Sptgen FTP Download ExampleInternal Sptgen FTP Upload Example Internal Sptgen FTP Upload ExampleAppendices and Index Page Troubleshooting Problems Starting Up the PrestigeProblems with the LAN Interface Troubleshooting the Start-Up of Your PrestigeProblems with the WAN Interface Problems with Internet AccessTroubleshooting the WAN Interface Troubleshooting Internet AccessProblems with the Password Problems with TelnetTroubleshooting the Password Troubleshooting TelnetPage Appendix a PPPoE PPPoE in ActionBenefits of PPPoE Traditional Dial-up ScenarioDiagram 2 Prestige as a PPPoE Client Prestige as a PPPoE ClientDiagram 3 Virtual Circuit Topology Appendix B Virtual Circuit TopologyPower Adapter Specifications Appendix CNorth American Plug Standards United Kingdom Plug StandardsAA-121ABN European Plug StandardsChina Standards Power Consumption Safety Standards Ccee GB8898 Index 28-4 17-1010-7 Local Network30-6 24-2 24-1,24-2RIP 30-5TCP/IP Traceroute