P312 Broadband Security Gateway

Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.

Teardrop

Teardrop attacks exploit weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

SYN Flood

SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

Attack types and some background are described in more detail in Chapter 13.

#

time

Packet Infomation

124Jan 1 70 From:192.168.1.2 To: 10.100.6.45 00:01:30 TCP src port:01060 dest port:00119

125Jan 1 70 From:192.168.1.2 To: 10.100.6.66 22:10:10 UDP src port:01053 dest port:00053

126Jan 1 70 From:192.168.1.2 To: 10.100.6.66 23:10:30 UDP src port:01054 dest port:00053

127Jan 1 70 From:192.168.1.2 To: 10.100.6.45 23:20:30 ICMP type:00008 code:00000

Clear Firewall Log (y/n):

reason

not match <2,01>protocol match

<1,02> not match <1,02>dest port attack

land

action

none

block

none

block

Figure 14-4 View Firewall Log

Each log consists of two lines, showing the information described in the following table.

14-4

Introducing the Prestige Firewall

Page 164
Image 164
ZyXEL Communications P-312 manual Traceroute, Teardrop