Firewall
BAT54-Rail/F..
Release
7.54
06/08
8.5
Denial of Service
305
An appropriate countermeasure of a Firewall is to supervise the number of
"half-open" TCP connections, which exists between two stations and to limit
it. That means, if further TCP connections between these workstations were
established, these connections would be blocked by the Firewall.
U Smurf
The Smurf attack works in two stages and paralyzes two networks at once.
In the first step a Ping (ICMP echo Request) packet with a falsified sender
address is sent to the broadcast address of the first network, whereupon all
workstations in this network answer with an ICMP echo Reply to the falsified
sender address, which is located in the second network. If the rate of incom-
ing echo requests is high enough, as well as the number of answering work-
stations, then the entire incoming traffic of the second network is blocked
during the attack and, moreover, the owner of the falsified address cannot re-
ceive normal data any more during the attack. If the falsified sender address
is the broadcast address of the second network, also all workstations are
blocked in this network, too.
In this case the DoS recognition of the BAT blocks passing packets, which
are addressed to the local broadcast address.
U LAND
The land attack is a TCP packet that is sent with set SYN flag and falsified
sender address to the victim workstation. The bottom line is that the falsified
sender address is equal to the address of the victim. With an unfortunate im-
plementation of TCP, the victim interprets the sent SYN-ACK again as SYN,
and a new SYN-ACK is sent. This leads to a continuous loop, which lets the
workstation freeze.
In a more up to date variant, the loopback address “127.0.0.1” is taken as
sender address, but not the address of the attacked workstation. Sense of
this deception is to outwit personal firewalls, which react in fact to the classi-
cal variant (sender address = destination address), but which pass through
the new form without hindrance. This variant is also recognized and blocked
by a BAT.
U Ping of Death
The Ping of Death belongs to those attacks, which use errors when fragment-
ed packets are reassembled. This functions as follows:
To Next Page
Loading...
Need help?
General
