User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2

361

362

363

364

365

366

367

368

369

370

Intrusion Detection Settings Security

4-65

iMG/RG Software Reference Manual (IPNetwork Functions)

The Security module can detect the early stages of the following DoS attacks:

Dos Attack Description

SMURF Attack

Attacker sends pings (Echo Requests) to a host with a destination IP

address of broadcast (protocol 1, type 8). The broadcast address

has a spoofed return address which is the address of the intended

victim, and the replies cause the system to crash

SYN/FIN/RST Flood

Attackers send unreachable source addresses in SYN packets, so

your device sends SYN/ACK packets to the unreachable address,

but does not receive any ACK packets in return. This causes a back-

log of half-opened sessions.

ICMP Flood

The attacker floods the network with ICMP packets that are not

Echo requests, stealing bandwidth needed for legitimate services.

The device detects an attempted ICMP flood if it receives more than

100 ICMP packets per second from a single host

Ping Flood

The attacker floods the network with pings, using bandwidth

needed for legitimate services. The device detects an attempted

ping flood if it receives more than 15 pings per second from a single

host

Ascend Kill

The attacker sends a UDP packet containing special data to port 9

(the discard port), causing your Ascend router to reboot and possi-

bly crash continuously

WinNuke Attack

The attacker sends invalid TCP packets which disable networking on

many Microsoft Windows 95 and Windows NT machines. Bad data

is sent to an established connection with a Windows user. NetBIOS

(TCP port 139) is often used

Echo Chargen

A chargen attack exploits character generator (chargen) service

(UDP port 19). Sessions that appear to come from the local sys-

tem’s Echo service are spoofed and pointed at the chargen service

to create an endless loop of high volume traffic that will slow your

network down

Echo Storm

Attackers send oversized ICMP datagrams to your device using ping

in an attempt to crash, freeze or cause a reboot. The device detects

an attempted Echo Storm attack if it receives more than 15 ICMP

datagrams per second from a single host.

Boink

An attacker sends fragmented TCP packets that are too big to be

reassembled on arrival, causing Microsoft Windows 95 and Win-

dows NT machines to crash.