• By stripping the URG bit by default from all TCP segments traversing the system. This is
configurable in the Web Interface by going to:
System > Advanced Settings > TCP Settings > TCP URG.
WinNuke attacks will usually show up in NetDefendOS logs as normal drops with the name of the
IP rule that disallowed the connection attempt.
For connections allowed through the system, "TCP" or "DROP" category (depending on the
TCPUrg setting) entries will appear, with a rule name of "TCPUrg". The sender IP address is not
likely to be spoofed; a full three-way handshake must be completed before out-of-band
segments can be sent.
6.7.7. Amplification Attacks
This category of attacks all make use of "amplifiers": poorly configured networks who amplify a
stream of packets and send it to the ultimate target. Historical examples of this include Smurf,
Papasmurf and Fraggle.
The goal with these attacks is excessive bandwidth consumption. That is to say, consuming all of
the victim's Internet connection capacity. An attacker with sufficient bandwidth can forgo the
entire amplification stage and simply stream enough bandwidth at the victim. However, these
attacks allows attackers with less bandwidth than the victim to amplify their data stream to
overwhelm the victim.
• "Smurf" and "Papasmurf" send ICMP echo packets to the broadcast address of open networks
with many machines, faking the source IP address to be that of the victim. All machines on
the open network then "respond" to the victim.
• "Fraggle" uses the same general idea, but instead using UDP echo (port 7) to accomplish the
task. Fraggle generally gets lower amplification factors since there are fewer hosts on the
Internet that have the UDP echo service enabled.
Smurf attacks will show up in NetDefendOS logs as masses of dropped ICMP Echo Reply packets.
The source IP addresses will be those of the amplifier networks used. Fraggle attacks will show
up in NetDefendOS logs as masses of dropped (or allowed, depending on policy) packets. The
source IP addresses will be those of the amplifier networks used.
Avoiding Becoming an Amplifier
Even though the full force of the bandwidth stream is at the ultimate victim's side, being selected
as an amplifier network can also consume great resources. In its default configuration,
NetDefendOS explicitly drops packets sent to broadcast address of directly connected networks
(configurable via System > Advanced Settings > IP Settings > DirectedBroadcasts). However,
with a reasonable inbound policy, no protected network should ever have to worry about
becoming a smurf amplifier.
Protection on the Victim's Side
Smurf, and its followers, are resource exhaustion attacks in that they use up Internet connection
capacity. In the general case, the firewall is situated at the "wrong" side of the Internet
connection bottleneck to provide much protection against this class of attacks. The damage has
already been done by the time the packets reach the firewall.
However, NetDefendOS can help in keeping the load off of internal servers, making them
available for internal service, or perhaps service via a secondary Internet connection not targeted
by the attack.
Chapter 6: Security Mechanisms
568
To Next Page
Loading...
