Product specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

181

182

183

184

185

186

187

188

189

190

Chapter 5: System Security Efficient Networks

Router family

Technical Reference Guide

Page 5-44 Efficient Networks

UDP Flood Attack

Similar to ICMP flood, the User Datagram Protocol (UDP) Flood denial of service

attack prays on the chargen service of one router and the echo service of another. By

spoofing, the UDP Flood attack hooks up one system’s UDP chargen service (which

generates a series of characters for each packet it receives) with another system’s

UDP echo service (which echoes any character it receives in an attempt to test

network programs). This results in a nonstop flood of useless data passed between

the two systems.

A counter is again maintained that when a threshold has been crossed., will block the

UDP echo and chargen ports by default. Look for the UDP packet count exceeding

1000. If the count exceeds 1000, drop subsequent packets until the attack ends.

The threshold value is defined in packets per seconds. To set the threshold value

through the WMI, refer to the “Stateful Firewall Configuration Page” on page 8-60, or

enter the following command.

firewall setudpfloodthreshold <number>

Ping of death

TCP/IP specification requires a specific packet size for datagrams being transmitted.

Many ping implementations allow users to specify a larger packet than desired, which

can trigger a range of adverse system reactions including crashing, freezing and re-

booting.

The reassembly implementation currently has a maximum IP packet size of 17000

bytes. Any packets exceeding this size are dropped.

Land Attack

Land attack occurs when spoofing packets are sent with the SYN flag set to a system

with any port that is listening. If the packets contain the same destination and source

IP address as the sending host, the receiving system hangs or reboots. An anti-

spoofing implementation has been augmented to check for the source IP address

being equal to the destination IP address and drop any of these packets.

Tiny Packet Attack

Tiny packet attack happens when the payload of an IP packet is single byte. This is an

attack against static packet filters. If, for example, the TCP header is fragmented and

the filters are checking each fragment prior to reassembly, then the packet filters may

not be able to properly check the fields in the header. A filter which by default accepts

a packet will allow this bogus packet through. The firewall can impose a minimum

packet size for all incoming packets and this minimum should be large enough to

contain the transport headers. RFC 1858 describes this attack.