Configuring IP IP Configuration
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 15-26
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeros or all 1 in the host portion of the destination
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service attacks. In a denial-of-service attack, a
continuous stream of ping requests is sent from a falsified source address to a directed broadcast address,
resulting in a large stream of replies, which can overload the host of the source address. By default, the
switch drops directed broadcasts. Directed broadcasts must not be enabled.
Use the ip directed-broadcast command to enable or disable IP-directed broadcasts. For example:
-> ip directed-broadcast enable
Use the show ip config command to display the IP-directed broadcast state.
Denial of Service (DoS) Filtering
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices
that are available on a private network or the Internet. Some attacks aim at system bugs or vulnerability,
while other types of attacks involve generating large volumes of traffic so that network service is denied to
legitimate network users. These attacks include the following:
• ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a
host and crash the system.
• Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port that is
listening. The machine can crash or reboot in an attempt to respond.
• ARP Flood Attack—Floods a switch with a large number of ARP requests, resulting in the switch
using a large amount of the CPU time to respond to these requests. If the number of ARP requests
exceeds the preset value of 500 per second, an attack is detected.
• Invalid IP Attack—Packets with invalid source or destination IP addresses are received by the switch.
When such an Invalid-IP attack is detected, the packets are dropped, and SNMP traps are generated.
Following are few examples of invalid source and destination IP addresses:
Invalid Source IP address
• 0.x.x.x.
• 255.255.255.255.
• subnet broadcast, that is, 172.28.255.255, for an
existing IP interface 172.28.0.0/16.
• in the range 224.x.x.x - 255.255.255.254.
• Source IP address equals one of Switch IP
Interface addresses.
Invalid Destination IP
address
• 127.x.x.x.
• in the range 240.x.x.x - 255.255.255.254.
• 0.0.0.0 (valid exceptions- certain DHCP packets).
• 172.28.0.0 for a router network 172.28.4.11/16.
• 0.x.x.x.
To Next Page
Loading...
