Configuring Single-Packet Attack Defense

This section describes how to configure single-packet attack defense.

Configuring IP Address Sweep Attack Defense: An attacker uses programs such as ICMP packets or TCP/UDP packets to initiate connections to certain IP addresses. By checking whether there are response packets, the attacker can determine which target systems are alive and connected to the target network.

Configuring Port Scan Attack Defense: An attacker probes the network structure by scanning ports to determine the ports currently enabled on the attacked, thus specifying the attack mode.

Configuring Smurf Attack Defense: An attacker sends an ICMP request with a destination IP address whose host portion is a multicast IP address, all 1s, or all 0s. which leads to all hosts or specified hosts on the attacked network responding to the ICMP request. Thus, the network crashes or hosts break down.

Configuring Land Attack Defense: In a Land attack, an attacker sends SYN packets to the attacked. The source IP addresses and destination IP addresses of SYN packets are all the IP addresses of the attacked. As a result, the attacked send SYN-ACK packets to their own IP addresses, which leads to a large number of null connections on the attacked host. The attacked encounter different problems under Land attacks: UNIX hosts crash and Windows NT hosts run very slowly.

Configuring Fraggle Attack Defense: An attacker sends UDP packets to the network where the target host resides. The source IP addresses of UDP packets are the IP address of the target host, the destination IP addresses of UDP packets are the broadcast address or network address of the subnet where the target host resides, and the destination port is port 7 or port 19. In this case, a large volume of traffic occurs on the attacked network. As a result, the attacked network is congested or the target host crashes.

Configuring IP Fragment Attack Defense: An attacker sends fragments to control illegitimate packets. As a result, after receiving the packets, target hosts become faulty, fail to process packets normally, or even crash.

Configuring IP Spoofing Attack Defense: To obtain the access permission, the attacker sends plenty of attack packets with forged source IP addresses to the target system. For the applications using IP address-based authentication, this attack enables unauthorized users to access the target system (or even with the system user right).

Configuring Ping of Death Attack Defense: Ping of Death is to attack the target system by using large ICMP packets. After receiving such packets, certain systems may crash, stop responding, or restart due to the improper processing of the packets.

Configuring TCP Packet Flag Bit Attack Defense: The TCP flag consists of six bits, namely, URG, ACK, PSH, RST, SYN, and FIN. The attacker sends a large number of packets with the illegitimate combination of TCP flag bits to harm the target host.

Configuring Teardrop Attack Defense: After obtaining IP packets, the attacker sets offset fields to incorrect values. Therefore, after receiving disassembled packets, the receiver cannot correctly assemble the disassembled packets according to offset fields in the packets. In this case, the receiver attempts to assemble the IP packets continuously, which results in the OS crash for resource exhaustion.

Configuring WinNuke Attack Defense: In a WinNuke attack, an attacker sends an Out-Of Band (OOB) packet to the NetBIOS port on the target host on which the Windows system is installed. Then the NetBIOS fragment overlap occurs so that the target host crashes. Another WinNuke attack defense mode is sending IGMP fragment packets.

Configuring Large ICMP Packet Attack Defense: In a large ICMP packet attack, an attacker uses large ICMP packets to attack target systems. When receiving such packets, certain systems crash, stop responding, or restart due to the improper processing of the packets.

Configuring ICMP Redirect Packet Attack Defense: In an ICMP redirect packet attack, an attacker sends forged redirect packets to the hosts on another network to change the routing tables of the hosts and interfere with normal IP packet sending on the hosts.

Configuring ICMP Unreachable Packet Attack Defense: After receiving an ICMP packet indicating that a network or host is unreachable, certain systems directly regard that follow-up packets to the network or the host cannot reach the destination, and therefore break the connection between the host and the destination. Knowing this, attackers forge ICMP unreachable packets to break the connections between victims and destinations to launch attacks.

Configuring Attack Defense Against IP Packets with the Route Record Option: Generally, an IP route record option is to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network structure.

Configuring Attack Defense Against IP Packets with the Source Route Option: Because the IP source routing option neglects the intermediate forwarding processes through various devices along the packet transmission path, regardless of the working status of forwarding interfaces, it may be utilized by malicious attackers to probe the network structure.

Configuring Tracert Packet Attack Defense: In a Tracert packet attack, an attacker discovers the path between the source host and the destination host by using the replied ICMP timeout packet when TTL is 0 and the ICMP port unreachable packet replied by the destination.

Configuring Attack Defense Against IP Packets with the Timestamp: Generally, an IP timestamp option is to diagnose faults on network paths, but may also be utilized by malicious attackers to probe the network structure.