Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
341342343344345346347348349350
314 XSR Users Guide
Features Chapter 13
Configuring Security on the XSR
This feature is always enabled, and the maximum number of TCP sessions
allowed is set at run time, depending on the number of TCP applications
running, and the maximum number of sessions each of them could have. Any
connection attempt above this number is denied.
Fragmented and Large ICMP Packets
The XSR offers these features to filter ICMP traffic based on IP data length, IP
offset, and IP fragmentation bits. They apply to packets destined for the XSR.
Transit packets will not be checked.
Fragmented ICMP Traffic
This protection is triggered for ICMP packets with the “more fragments” flag
set to 1, or an offset indicated in the offset field. Such packets are dropped by
the XSR if the protection is enabled with the
HostDoS command.
Large ICMP Packets
This protection is triggered for ICMP packets larger than a size you can
configure. Such packets are dropped by the XSR if the protection is enabled
with the
HostDoS command.
Ping of Death Attack
This protection is triggered when an ICMP packet is received with the “more
fragments” bit set to 0, and ((IP offset * 8) + IP data length) greater than 65535.
As the maximum size for an IP datagram is 65535, this could cause a buffer
overflow. Such packets are always dropped automatically by the XSR.
Spurious State Transition
Protection against spurious state transition concerns TCP packets with Syn
and Fin bits set. This type of attack occurs when an intruder attempts to stall a
network port for a very long time, using the state transition from state
SYN_RCVD to CLOSE_WAIT, by sending a packet with both SYN and FIN
flags set to a host.
The host first processes the SYN flag, generates the ACK packet back, and
changes its state to SYN_RCVD. Then it processes the FIN flag, performs a
transition to CLOSE_WAIT, and sends the ACK packet back.