Specifications

ManualsBrandsAlcatel ManualsComputer equipmentOS6850-48

Alcatel-Lucent Page 21

OmniSwitch 6850 Series

Minimum number of learned MAC addresses allowed per port: 1

Maximum number of learned MAC addresses allowed per port: 100

Maximum number of configurable MAC address ranges per LPS port: 1

Max number of learned MAC addresses per OS6850 switch (applies to all ports on the switch): 8K

IP directed broadcast An IP directed broadcast is an IP datagram that has all zeroes or all 1’s in the host portion of the

destination IP address. The packet is sent to the broadcast address of a subnet to which the sender is

not directly attached. Directed broadcasts are used in denial-of-service “smurf” attacks. In a smurf

attack, a continuous stream of ping requests is sent from a falsified source address to a directed

broadcast address, resulting in a large stream of replies, which can overload the host of the source

address. By default, the switch drops directed broadcasts. Typically, directed broadcasts should not be

enabled.

DOS Attacks By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at

devices that are available on a private network or the Internet. Some of these attacks aim at system

bugs or vulnerability (for example, teardrop attacks), while other types of these types of attacks

involve generating large volumes of traffic so that network service will be denied to legitimate network

users (such as Pepsi attacks). These attacks include the following:

• ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes)

are sent to a host and hang or crash the system.

• SYN Attack—Floods a system with a series of TCP SYN packets, resulting in the host issuing

SYN-ACK responses. The half open TCP connections can exhaust TCP resources, such that no

other TCP connections are accepted.

• Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port

that is listening. The machine may hang or reboot in an attempt to respond.

• Teardrop/Bonk/Boink attacks—Bonk / Boink / teardrop attacks generate IP fragments in a

special way to exploit IP stack vulnerabilities. If the fragments overlap the way those

attacks generate packets, an attack is recorded. Since teardrop, bonk and Boink all use the

same IP fragmentation mechanism to attack, these are no distinction between detection of

these attacks. The old IP fragments in the fragmentation queue are also reaped once the

reassemble queue goes above certain size.

• Pepsi Attack—The most common form of UDP flooding directed at harming networks. A

Pepsi attack is an attack consisting of a large number of spoofed UDP packets aimed at

diagnostic ports on network devices. This can cause network devices to use up a large

amount of CPU time responding to these packets.

The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent

to open or closed ports. Monitoring is done in the following manner:

• Packet penalty values set: TCP and UDP packets destined for open or closed ports are

assigned a penalty value. Each time a packet of this type is received, its assigned penalty

value is added to a running total. This total is cumulative and includes all TCP and UDP

packets destined for open or closed ports.

• Port scan penalty value threshold: The switch is given a port scan penalty value threshold.

This number is the maximum value the running penalty total can achieve before triggering

an SNMP trap.

• Decay value: A decay value is set. The running penalty total is divided by the decay value

every minute.

• Trap generation: If the total penalty value exceeds the set port scan penalty value threshold,

a trap is generated to alert the administrator that a port scan may be in progress.

Security through the implementation of OmniVista

Quarantine Manager (OV2770-QM)

With OneTouch Security automation

The CrystalSec Security Framework has been expanded with the addition of two solutions - Host

Integrity Check and Attack Containment - and two partnerships - Sygate and Fortinet.

The Quarantine Manager Application enables the Network Administrator to quarantine devices to

protect the network from attacks. When blocking any network traffic such as in Denial Of Service

(DOS) attacks, the application works with an external Intrusion Prevention System (IPS) such as

Fortinet, to send Syslog messages to the Quarantine Manager, and/or Alcatel AOS switches to send

SNMP traps to the Quarantine Manager. The information includes the address that was blocked.

Quarantine Manager then sends this information to the rest of the network by placing the address into

to a "Quarantined" VLAN. Depending on the rule that is written for the event, the address can be

immediately quarantined or placed into a Candidate List that can be reviewed by the Network

Administrator.

Automatic log-out Automatic log-out based on a pre-configured timer is supported: The switch supports the capability of

configuring the inactivity timer for a CLI, HTTP (including WebView), or FTP interface. When the

switch detects no user activity for this period of time, the user is logged off the switch.