152
Table 93 Types of single-packet attacks
Single-packet
attack
Description
Fraggle
A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
broadcast address. This will cause a large quantity of responses in the network,
using up the network bandwidth of the subnet or crashing the target host.
LAND
A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the
target to send SYN ACK messages to itself and establish half-open connections as
a result. In this way, the attacker depletes the half-open connection resources of
the target, making it unable to work correctly.
WinNuke
A WinNuke attacker sends Out-of-Band (OOB) data packets to the NetBIOS port
(139) of a target running a Windows system. The pointer fields of these attack
packets are overlapped, resulting in NetBIOS fragment overlaps. This will cause
the target host that has established TCP connections with other hosts to crash
when it processes these NetBIOS fragments.
TCP Flag
Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its
operating system. If the operating system cannot process such packets correctly,
the host will crash down.
ICMP Unreachable
Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the
connection between the target host and the network.
ICMP Redirect
An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to
request the hosts to change their routing tables, interfering with the normal
forwarding of IP packets.
Tracert
The Tracert program usually sends UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased
by 1 when the packet passes each router. Upon receiving a packet with a TTL of 0,
a router sends an ICMP time exceeded message back to the source IP address of
the packet. A Tracert attacker exploits the Tracert program to figure out the network
topology.
Smurf
A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network will reply to the requests,
causing the network congested and hosts on the target network unable to provide
services.
Source Route
A Source Route attacker probes the network structure through the Source Route
option in IP packets.
Route Record
A Route Record attacker probes the network structure through the Record Route
option in IP packets.
Large ICMP
For some hosts and devices, large ICMP packets will cause memory allocation
error and thus crash down the protocol stack. An attacker can make a target crash
down by sending large ICMP packets to it.
The single-packet attack protection function takes effect to only incoming packets. It analyzes the
characteristics of incoming packets to determine whether the packets are offensive and, if they are
offensive, logs the events and discards the packets. For example, if the length of an ICMP packet
reaches or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs
a warning log, and discards the packet.
To Next Page
Loading...
Need help?
General
