Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
341342343344345346347348349350
XSR Users Guide 313
Chapter 13 Features
Configuring Security on the XSR
Smurf Attack
A “smurf” attack involves an attacker sending ICMP echo requests from a
falsified source (a spoofed address) to a directed broadcast address, causing
all hosts on the target subnet to reply to the falsified source. By sending a
continuous stream of such requests, the attacker can create a much larger
stream of replies, inundating the host whose address is being falsified.
The XSR protects against smurf attacks by turning off directed broadcast and
turning on checkspoofing. Refer to “Configuring IP” on page 63 and the XSR
CLI Reference Guide for more information on IP directed broadcast.
Fraggle Attack
A “fraggle” attack involves a UDP Echo-directed broadcast. It is similar to a
smurf attack but differs in that it uses UDP instead of ICMP packets.
The XSR protects against a fraggle attack by turning off directed broadcast
and turning on checkspoofing. Refer to “Configuring IP” on page 63.
IP Packet with Multicast/Broadcast Source Address
This type of attack involves an illegal IP packet. Because XSR interfaces are
programmed to discard these packets, no user configuration is necessary.
Spoofed Address Check
This feature allows spoofing of IP source addresses by checking the source
address of a packet against the routing table to ensure the return path of the
packet is through the interface it was received on.
SYN Flood Attack Mitigation
Also known as a Denial of Service (DoS) attack, this involves a hacker
flooding a server with a barrage of requests for access to unreachable return
addresses. Since the return addresses are unreachable, the connections cannot
be built and the ensuing volume of unresolved open connections eventually
overwhelms the server, causing service denial to valid requests. A SYN flood
attack against the XSR is defended by the router not checking transit packets.