Chapter 15 Firewall
VMG1312-B Series User’s Guide
218
15.1.2 What You Need to Know
SYN Attack
A SYN att ack floods a t arget ed system with a series of SYN packets. Each packet causes t he
targeted system to issue a SYN-ACK response. While t he t argeted system waits for t he ACK that
follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on a backlog queue. SYN-
ACKs are m oved off t he queue only when an ACK com es back or w hen an int ernal tim er t erm inates
the t hree- way handshake. Once the queue is full, the system will ignore all incom ing SYN r equests,
m aking the system unavailable for legitim at e users.
DoS
Denials of Service ( DoS) att acks are aim ed at devices and net w orks with a connect ion to the
I nternet. Their goal is not to st eal inform ation, but t o disable a device or net work so users no longer
have access to net work resources. The ZyXEL Device is pre- configured to aut om at ically det ect and
thwart all known DoS att acks.
DDoS
A DDoS att ack is one in which m ultiple com prom ised syst em s at tack a single target , ther eby
causing denial of service for user s of the t argeted system .
LAND Attack
I n a LAND att ack, hackers flood SYN packet s into the network with a spoofed source I P address of
the t arget syst em . This m akes it appear as if the host com put er sent t he packets to it self, m aking
the syst em unavailable while t he target syst em tries t o respond to itself.
Ping of Death
Ping of Deat h uses a " ping" ut ility t o creat e and send an I P packet t hat exceeds the m axim um
65,536 byt es of dat a allowed by t he I P specification. This m ay cause system s t o crash, hang or
reboot .
SPI
St ateful Packet I nspect ion ( SPI ) tracks each connect ion crossing t he firewall and m akes sure it is
valid. Filtering decisions are based not only on rules but also context . For exam ple, traffic from the
WAN m ay only be allowed to cr oss the firewall in response t o a request from the LAN.
To Next Page
Loading...
