User Guide

ManualsBrandsMcafee ManualsOtherINTERNET SECURITY 5.0

100

McAfee Firewall

94 McAfee Internet Security 5.0

Common attacks recognized by IDS

The following table lists attacks recognized by McAfee Firewall’s IDS, a

description of each attack, and the risk factor assigned to each attack.

Attack Description Risk

Factor

1234 Also known as the Flushot attack, an attacker sends an oversize ping

packet that networking software could not handle. Usually, computers

hang or slows down. If a total lockup occurs, unsaved data may be lost.

Medium

Back Orifice Back Orifice is a back door program for Windows 9x written by a group

calling themselves the Cult of the Dead Cow. This back door allows

remote access to the machine once installed, allowing the installer to run

commands, get screen shots, modify the registry, and perform other

operations. Client programs to access Back Orifice are available for

Windows and UNIX.

High

Bonk Designed to exploit an implementation error in the first Teardrop patch

released by Microsoft, this attack is basically a Windows-specific variant of

the original Teardrop attack.

High

Fraggle This attack is a UDP variant of the Smurf attack. By sending a forged UDP

packet to a particular port on a broadcast address, systems on the

“amplifier” network will respond to the target machine with either a UDP

response or an ICMP UNREACHABLE packet. This flood of incoming

packets results in a denial of service attack against the target machine.

High

IP Spoofing IP spoofing involves sending data with a falsified return IP address. There

is nothing inherently dangerous about spoofing a source IP address, but

this technique can be used in conjunction with others to carry out attacks

TCP session hijacking, or to obscure the source of denial of service

attacks (SYN flood, PING flood, etc.).

Medium

Jolt A remote denial of service attack using specially crafted ICMP packet

fragments. May cause slowdowns or crashes on target systems.

High

Jolt 2 A remote Denial of Service (DoS) attack similar to Jolt that uses specially

crafted ICMP or UDP packet fragments. May cause slowdowns or crashes

on target systems.

High

Land This attack is performed by sending a TCP packet to a running service on

the target host, with a source address of the same host. The TCP packet

is a SYN packet, used to establish a new connection, and is sent from the

same TCP source port as the destination port. When accepted by the

target host, this packet causes a loop within the operating system,

essentially locking up the system.

High

Nestea This attack relies on an error in calculating sizes during packet fragment

reassembly. In the reassembly routine of vulnerable systems, there was a

failure to account for the length of the IP header field. By sending carefully

crafted packets to a vulnerable system, it is possible to crash the target.

High