Single-Packet Attack Defense

Address sweeping

Address sweeping attacks use ICMP packets or TCP/UDP packets to initiate connections to certain IP addresses. In analyzing the response packets, the attacker can determine which target systems are alive and connected to the target network.

After the IP address sweeping attack defense is enabled, the FW detects the received TCP, UDP, and ICMP packets. If the number of packets with different destination ports from a specific source IP address per second exceeds the threshold, the FW determines that the host at this IP address launches IP address sweeping attacks and blacklists this IP address.

Port scanning

The attacker uses port scanning to probe the network topology and locate the ports currently enabled on the target, and uses the information to specify the attack mode. In port scanning attacks, the attacker generally uses the Port Scan software to initiate connections to a series of TCP or UDP ports on a wide range of hosts. In analyzing the response packets, the attacker can determine whether these hosts provide services through these ports.

After the port scanning attack defense is enabled, the FW detects the received TCP and UDP packets. If the number of packets with different destination ports from a specific source IP address per second exceeds the threshold, the FW determines that the host at this IP address launches port scanning attacks and blacklists this IP address.

IP spoofing

IP spoofing is a common type of attacks type and usually used as the basis of other types of attacks.

After the IP spoofing attack defense is enabled, the FW traces the route to the source IP address of received packets and checks whether the outbound interface corresponding to the source IP address in the routing table is the same as the inbound interface of each packet. If they are different, the packet is considered as an IP spoofing attack and the packet is processed according to the action configured in firewall defend action.

IP fragment detection

DF and MF flags in the IP packet header are used in fragment control. The attacker sends illegitimate fragment control packets, causing anomalies or even system crashes on the receiving hosts.

Teardrop

To comply with the Maximum Transmission Unit (MTU) at the link layer, the FW fragments each large IP data packet into several small IP packets during transmission. Each fragmented IP packet header has an offset field and an MF flag bit. The offset field records the position of the fragment in the large packet. After obtaining IP packets, the attacker changes the values in the offset fields. After receiving fragmented packets, the receiver cannot correctly reassemble the fragmented packets according to offset fields in the packets. In this case, the receiver repeats the attempts of packet reassembly, causing the operating system to crash due to resource exhaustion.

After the Teardrop attack defense is enabled, the FW analyzes received fragments and checks whether the packet offset is correct. If the packet offset is incorrect, the FW discards the packets and logs the attacks.

Smurf

A simple Smurf attack is used to attack a single network. In such an attack, an ICMP response request is sent to a multicast IP address, the broadcast address of the victim network or the address with the host segment being all 0s, so that all hosts reply to this ICMP echo request and the network is congested. The traffic of this attack is one or two times heavier than the traffic of a large ping packet. An advanced Smurf attack is used to attack a single host. The attacker changes the source address of the ICMP echo request packet to the address of the target host, and therefore hosts on the network send their replies to the target host, causing the host to crash. To launch a real attack, sufficient packets and time are necessary. Theoretically, the more hosts on the network, the more obvious the attack effect is.

After the Smurf attack defense is enabled, the FW checks whether the destination address of ICMP request packets is a multicast IP address, an all-1 (broadcast address) or all-0 address in the subnet host segment of class A, B, or C. If yes, the FW discards the packets and logs the attack.

Ping of Death

Ping of Death uses oversized ICMP packets to attack the operating systems. The Length field of an IP packet is 16 bits, meaning that the maximum length of an IP packet is 65535 bytes. If the data length of an ICMP echo request packet is more than 65515 bytes, the sum of ICMP data length, IP header length (20 bytes), and ICMP header length (8 bytes) is more than 65535 bytes. After receiving such packets, some routers or systems crash, stop responding, or restart due to improper processing. The attacker can make the TCP/IP stack on target hosts crash and therefore the target hosts crash only by running the ping command to continuously send packets that are larger than 65535 bytes.

After the Ping of Death attack defense is enabled, the FW checks whether the packet size is greater than 65535 bytes. If yes, the FW discards the packets and logs the attack.

Fraggle

If a UDP port (usually port 19) on which the Chargen service is running receives a data packet, the port replies with a character string. If a UDP port (usually port 7) on which the Echo service is running receives a data packet, it simply replies with the data content of this packet. These two types of services may be used by attackers to launch Fraggle attacks. As a result, the victim systems are busy, and the links are congested.

An attacker sends UDP packets to the network where the target host resides. The source IP address of each UDP packet is the IP address of the target host, the destination IP addresses of UDP packets are the broadcast address or network address of the subnet where the target host resides, and the destination port is port 7 or port 19. On the subnet, each system enabled with this function sends a response message to the target host. Therefore, heavy traffic is generated and the bandwidth is exhausted, congesting the target network or making the target host crash.

Systems without this function also return ICMP unreachable messages, consuming bandwidth. If the attacker changes the source port to port 19 and the destination port to port 7, a large number of response packets are continuously generated and excessive damages are caused.

After the Fraggle attack defense is enabled, the FW detects received UDP packets. If the destination port number of packets is 7 or 19, the FW discards the packets and logs the attack.

WinNuke

A WinNuke attack is also called the out-of-band (OOB) transmission attack. The attacked port is usually port 139 and the URG flag bit is 1 (indicating emergency mode). The WinNuke attack exploits the vulnerabilities of the Windows operating system. The attacker sends certain TCP out-of-band packets to the port. However, these attack packets are different from normal OOB packets because their pointer fields are inconsistent with the actual locations of data; this causes overlapping. The Windows operating system crashes when processing the data. Moreover, the attacker sends IGMP fragments that cannot be processed by the operating system and also causes the operating system to crash.

After the WinNuke attack defense is enabled, the FW discards packets with destination port 139, URG tag set to 1, and URG pointer not null, and logs the attack.

In addition, when IGMP fragments are received, the device considers that a WinNuke attack occurs and discards the fragments, and then logs the attack.

Land

Land attacks are also called loopback attacks. The attacker sends a SYN packet with the same source and destination IP addresses, or with the source IP address as a loopback interface (the source port is the same as the destination port) to the target host. As a result, the attacked host sends an SYN-ACK message to its own IP address, and a large number of empty connections are established. The attacked hosts encounter different problems under Land attacks: the UNIX hosts crash and the Windows NT hosts run slowly.

After the Land attack defense is enabled, the FW checks whether the source and destination IP addresses of TCP packets are the same, or the source IP address of TCP packets is a loopback interface. If either is the case, the FW discards the packets and logs the attack.

TCP flag validity check

A TCP packet has the following flag bits: URG, ACK, PSH, RST, SYN, and FIN. The attacker sends a large number of illegitimate packets with combinations of these flag bits. The attacked host must identify these packets, deteriorating host performance. Certain operating systems fail to process packets normally, or the host may crash.

After the TCP packet flag bit attack defense is enabled, the FW checks the flag bits of each TCP packet. The FW discards the packets and logs the attack if any of the following conditions occur:

• All flag bits are set to 1.

• All flag bits are set to 0.

• Both the SYN bit and the FIN bit are set to 1.

• Both the SYN bit and the RST bit are set to 1.

• The FIN bit is set to 1 and the ACK bit to 0.

Oversized ICMP packet control

Legitimate ICMP packets are not typically very large. If oversized ICMP packets are detected on the network, attacks, such as ICMP flood or Ping of Death, may occur.

You must specify the length threshold of legitimate ICMP packets when enabling the control over oversized ICMP packets. If the length of any received ICMP packet exceeds the specified threshold, the FW discards the packets and logs the attack.

ICMP unreachable packet control

After receiving an ICMP packet indicating that a network or host is unreachable, some systems directly regard subsequent packets destined for the IP address unreachable and terminate the connection between the destination IP address and the host. The attacker can therefore forge ICMP unreachable packets to launch attacks to break the connections between targets and destinations.

After the ICMP unreachable packet attack defense is enabled, the FW discards ICMP unreachable packets and logs the attack.

ICMP redirect packet control

A network device sends an ICMP redirect packet to hosts on the same subnet, requesting the hosts to change the route. Generally, the FW sends ICMP redirect packets only to the hosts on the same subnet. Certain malicious attackers, however, may send fraudulent redirect packets to the hosts on another network to change the routing table of the hosts and interfere with normal IP packet forwarding.

After the ICMP redirect packet attack defense is enabled, the FW discards ICMP redirect packets and logs the attack.

Tracert

In a Tracert packet attack, the attacker discovers the path between the source and destination hosts using the replied ICMP timeout packet when TTL is 0 and the ICMP port unreachable packet replied by the destination.

After the Tracert packet attack defense is enabled, the FW discards timeout ICMP or UDP packets and destination port unreachable packets, and logs the attack.

IP source route packet control

The transmission path of an IP packet is determined by the routers on the network according to the destination address of the packet. A method is also provided for the packet sender to determine the packet transmission path with the source route option. This option allows the source site to specify a route to the destination and replace the routes specified by intermediate routers. The source route option is generally used to diagnose faults on network paths and temporarily transmit special services. The IP source route option may be utilized by malicious attackers to probe the network structure because it neglects the intermediate forwarding processes through various devices along the packet transmission path, regardless of the working status of forwarding interfaces.

After the IP source route packet control is enabled, the FW checks whether the IP source route option is set in each received packet. If yes, the FW discards the packets and logs the attack.

IP route record packet control

The IP route record option is used to record the transmission path of an IP packet from the source IP address to the destination IP address. The path is a list of routers that are involved in processing this packet. The IP route record option is generally used to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network topology.

After the IP route record packet control is enabled, the FW checks whether the IP route record option is set in each received packet. If yes, the FW discards the packets and logs the attack.

IP timestamp packet control

The IP timestamp option in an IP packet is used to record the transmission path of an IP packet from the source IP address to the destination IP address and the time spent in the transmission. The path is a list of routers that are involved in processing this packet. The IP timestamp option is generally used to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network topology.

After the IP timestamp packet control is enabled, the FW checks whether the IP timestamp option is specified in each received packet. If yes, the device discards the packets and logs the attack.