Filter and Firewall
Left running head:
Chapter name (automatic)
744
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
Alcatel-Lucent
DEFAULT ATTACKS (NON-RATE LIMITING / STATELESS)
ICMP-PING-OF-DEATH
icmp-ping-of-death [{max-frag-num <1-4294967295> [max-total-
length <1-4294967295>]|max-total-length <1-4294967295>}]
The TCP/IP specification requires a specific packet size for datagram
transmission. Many ping implementations allow you to specify a larger packet size
if desired. A grossly oversized ICMP packet can trigger a range of adverse system
reactions such as denial of service (DoS), crashing, freezing, and rebooting. This
command is included in the default attack prevention list to secure the system
from this attack.
IP-LAND-ATTACK
ip-land-attack
A LAND attack consists of a stream of TCP SYN packets that have the source IP
address and TCP port number set to the same value as the destination address
and port number (i.e., that of the attacked host).
IP-TEAR-DROP
ip-tear-drop
Teardrop attack tool attacks the vulnerability of the TCP/IP IP fragmentation re-
assembly codes which do not properly handle the overlapping IP fragments.
IP-TINY-FRAG
ip-tiny-frag [{max-frag-num|min-frag-size} <1-4294967295>]
If the fragment size is made small enough to force some of a TCP packet's TCP
header fields into the second fragment, filter rules that specify patterns for those
fields will not match. If the filtering implementation does not enforce a minimum
fragment size, a disallowed packet might be passed because it didn't hit a match
in the filter. The above keyword is also turned on by default. If you wish to disable
this, you can override this keyword and then turn it on when necessary with a
specified minimum fragment size in the user-defined attack prevention list.
IP-ZERO-LENGTH
ip-zero-length
This kind of denial of service attack is caused when a 0-length IP fragment is
received as the first fragment in the list.
A series of such IP fragments of 0 length being the first in the fragment list, makes
it impossible for the kernel to deallocate the destination entry and remove it from
the cache, resulting in a Denial -of Service. To avoid the attack, this keyword is
also placed in the default list.
To Next Page
Loading...
Need help?
General
