Instruction manual
Section 4, User Interface Guide NetVanta 2000 Series System Manual
42 © 2002 ADTRAN, Inc. 61200361L1-1E
> CONFIG > FIREWALL > IP SPOOFING CHECK
IP Spoofing is a network intrusion that occurs when an outside user gains access to a computer on the
network by pretending to be at a trusted IP address.
IP S
POOFING
C
HECK
is always E
NABLED
, and the
NetVanta 2000 series discards any packets received on the WAN interface containing a source IP address
on the corporate network.
> CONFIG > FIREWALL > PING OF DEATH CHECK
Ping of Death is a denial of service attack which exploits the errors in the oversize datagram handling
mechanism of a TCP/IP stack. Many popular operating systems have difficulty handling datagrams larger
than then maximum datagram size defined by the IP standard. If hosts running these operating systems
encounter oversized ping packets, it is likely they will hang or crash causing network problems.
P
ING
OF
D
EATH
C
HECK
is always E
NABLED
, and the NetVanta 2000 series becomes the central entry point for all
traffic entering the corporate network and it watches for such non-standard IP datagrams to filter them
before they reach vulnerable hosts on the network.
> CONFIG > FIREWALL > LAND ATTACKS CHECK
Land Attacks are a special type of denial of service attack on TCP-based services such as HTTP, SMTP,
and FTP. In a Land Attack an attacker forges the equal values for the source and destination port, and
source and destination IP addresses. These port values are often the well-known service port values, and
the IP addresses are the target hosts’s IP address. This attack exploits the inappropriate implementation of
the TCP connections establishment protocol in a TCP/IP stack; as a result the target server enters an
uncontrollable infinite spin and eventually the system crashes.
L
AND
A
TTACK
C
HECK
is always E
NABLED
,
and the NetVanta 2000 series ensures that all service requests made to any of the hosts in the corporate
network are Land Attack free.
> CONFIG > FIREWALL > REASSEMBLY ATTACK
Datagrams traveling in the Internet may pass through heterogeneous networks which require them to be
fragmented and reassembled at their destinations. Certain popular TCP/IP implementations cannot handle
all datagram reassembly scenarios properly. If an attacker sends datagram fragments to a host with limited
datagram reassembly capabilities the host is likely to behave unpredictably.
R
EASSEMBLY
A
TTACK
is always
E
NABLED
, and the NetVanta 2000 series invokes its robust datagram reassembly engine to perform the
datagram reassembly strictly conforming to IP standards.
> CONFIG > FIREWALL > SYN FLOODING ATTACK CHECK
SYN Flooding is a well-known denial of service attack on TCP based services. TCP requires a 3-way
handshake before the actual communications between two hosts begins. A server must allocate resources
to process new connection requests that are received. A malicious intruder is capable of transmitting large
amounts of service requests in a very short period causing servers to allocate all resources to process the
incoming requests. If
SYN F
LOODING
A
TTACK
C
HECK
is selected, the NetVanta 2000 series filters out phony
service requests and allows only legitimate requests to pass through.