3Com Switch 8800 Family Firewall Module Configuration and Command Reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8108fl Redundant Switch Fabric Module

141

142

143

144

145

146

147

148

149

150

Configuring Attack Prevention 147

Ping of death attack

The ping of death attack is to attack the system by some extra large ICMP packets.

Because the field length of an IP packet is 16 bits, the maximum length of an IP

packet is 65535. Therefore, if the data length of an ICMP request packet is larger

than 65507, the entire length of the ICMP packet (ICMP data + IP header 20 +

ICMP header 8) will be larger than 65535, which may make some routers or

systems crash, die or reboot. This is the Ping of Death attack.

Introduction to Statistics

Analysis

A firewall needs to perform a large amount of statistics calculation and analysis to

monitor data traffic as well as to detect connections between intranet and

extranet. On one hand, the firewall can perform after-the-fact analysis on the log

information with the specific analysis software. On the other hand, the firewall

can implement some analysis functions in real-time. For example, the firewall can

determine whether to limit the new connections from external networks or the

new connections to some internal IP address by analyzing whether the total

number of TCP/UDP connections is greater than the configured value. For another

example, if the firewall finds that the number of connections in the system

exceeds the threshold, it speeds up the connection aging so that DoS will not

occur and new connections can be set up.

The following figure shows a typical application of the firewall. If the IP-based

statistics analysis function from the external network to the DMZ is enabled, the

firewall will limit the new connections from the external network when the

number of the TCP connections to the Web server at 129.9.0.1 is greater than the

configured value until the number drops to the normal range.

Figure 30 Firewall denies the redundant external connections for the server

Configuring Attack

Prevention

The attack prevention configuration includes:

■ Enabling ARP Flood attack prevention function

■ Enabling attack prevention for reverse ARP lookup

■ Enabling ARP spoofing attack prevention function

■ Enabling the IP Spoofing attack prevention function

■ Enabling the Land attack prevention function

■ Enabling the Smurf attack prevention function

TCP connection

Enable statistics function

Swtich 8800

Internet

Server

Internal netw ork

DMZ

Ethernet