414
Single-packet
attack
Description
Route Record
An attacker exploits the route record option in the IP header to probe the topology
of a network.
Smurf
An attacker sends an ICMP echo request to the broadcast address of the target
network. As a result, all hosts on the target network reply to the request, causing
the network congested and hosts on the target network unable to provide services.
Source Route
An attacker exploits the source route option in the IP header to probe the topology
of a network.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP
flag attacker sends TCP packets with such TCP flags to a target host to probe its
operating system. If the operating system cannot process such packets correctly,
the attacker successfully makes the host crash down.
Tracert
An attacker exploits the Tracert program to probe the network topology.
The Tracert program sends batches of UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased
by 1 when the packet passes each router. Upon receiving a packet with a TTL of 0,
a router must send an ICMP time exceeded message back to the source IP
address of the packet. The Tracert program uses these returning packets to figure
out the hosts that the packets have traversed from the source to the destination.
WinNuke
An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped
to the NetBIOS port (139) of a Windows system with an established connection to
introduce a NetBIOS fragment overlap, causing the system to crash.
Scanning attack
An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find
possible targets and the services enabled on the targets and figure out the network topology,
preparing for further attacks to the target hosts.
Flood attack
An attacker sends a large number of forged requests to the targets in a short time, so that the target
system is too busy to provide services for legal users, resulting in denial of services.
The device can effectively defend against three types of flood attacks:
• SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. An attacker sends a great quantity of SYN packets to a target server, using a
forged address as the source address. After receiving the SYN packets, the server replies with
SYN ACK packets. As the destination address of the SYN ACK packets is unreachable, the
server can never receive the expected ACK packets, and thus have to maintain large amounts
of half-open connections. In this way, the attacker exhausts the system resources of the server,
making the server unable to service normal clients.
• ICMP flood attack
An attacker sends a large number of ICMP requests to the target in a short time by, for example,
using the ping program, causing the target too busy to process normal services.
• UDP flood attack
An attacker sends a large number of UDP packets to the target in a short time, making the
target too busy to process normal services.
Blacklist function
The blacklist function is an attack protection measure that filters packets by source IP address.
Compared with Access Control List (ACL) packet filtering, blacklist filtering is simpler in matching
To Next Page
Loading...
Need help?
General
