|
DOCSIS Engineer Blog...
(Disclaimer:
No information or writing on this site should be used as
a basis of buying, investing, or anything else to do with any of
the equipment discussed on this site. The information on this
site is just the opinion of "Slimjim100" and I hold no
guaranties of accuracy. There is no preferred company I
(Slimjim100) recommend. I receive no compensation for the
writing on this site and the intended audience is other DOCSIS
engineers. My goal here is to have a place to vent my feelings
on the industry I work in and to network with peers.)
-
Archive of posts 1 2 3 4 5
|
Network Attacks
(Information gathered from
Juniper Netscreen
training)
SYN Flood
A SYN
flood attack occurs when a network becomes so overwhelmed
by SYN packets
initiating
uncompletable connection request that it can no longer
process legitimate
connection
requests, resulting in a denial of service (DoS).
ICMP Flood
An ICMP
flood occurs when ICMP pings overload a system with so
many echo requests
that the
system expends all is resources responding until it can no
longer process valid
network
traffic. After enabling the ICMP flood protection feature,
you can set a threshold
that once
exceeded, invokes the ICMP flood attack protection
feature. (The default
threshold
value is 1000 packets per second.) If the threshold is
exceeded, the NetScreen
device
ignores further ICMP echo requests for the remainder of
that second.
UDP Flood
Similar to
the ICMP flood, UDP flooding occurs when UDP packets are
sent with a
purpose of
slowing down the system to the point it can no longer
handle valid
connections. After enabling the UDP flood protection
feature, you can set a threshold that
once
exceeded invokes the UDP flood attack protection feature.
(The default threshold
value is
1000 packets per second.) If the threshold is exceeded,
the NetScreen device
ignores
further UDP packets for the remainder of that second.
Ping of
Death
The TCP/IP
specification requires a specific packet size for datagram
transmission. Many
ping
implementations allow the user to specify a larger packet
size if desired. A grossly
oversized
ICMP packet can trigger a range of adverse system
reactions such as a denial
of service
(DoS), crashing, freezing, and rebooting. If you enable
the NetScreen device to
do so, it
can detect and reject such oversized and irregular packets
sizes.
IP
Spoofing
Spoofing
attacks occur when an attacker attempts to bypass the
firewall security by
imitating
a valid client IP address. The NetScreen device guards
against this attack by
analyzing
the IP addresses with its own route table when spoofing
defense is enabled. If
the IP
address is not in the route table, traffic from that
source is not allowed to
communicate through the Net Screen device and any packets
from that source are
dropped.
Port Scan
Attack
Port scan
attack occur when packets are sent with different port
numbers with the purpose
of
scanning the available services in hopes that one port
will respond. The NetScreen
device
internally logs the number of different ports scanned from
one remote source. If a
remote
host scans 10 ports in 0.3 seconds, the NetScreen flags
this as a port scan attack,
and drops
the connection.
Land
Attack
Combining
a SYN attack with IP spoofing, a Land attack occurs when
an attacker sends
spoofed
SYN packets containing the IP address of the victim as
both the destination and
source IP
address. The receiving system responds by sending the
SYN-ACK packet to
itself,
creating an empty connection that lasts until the idle
timeout value is reached.
Flooding a
system with such empty connections can overwhelm the
system, causing a
denial of
service (DoS). By combining elements of the SYN flood
defense and IP
Spoofing
protection, the NetScreen device blocks any attempts of
this nature.
Tear Drop
Attack
Tear Drop
attacks exploit the reassembly of fragmented IP packets.
In the IP header, one
of the
options is offset. When the sum of the offset and size of
one fragmented packet
differ
from that of the next fragmented packet, the packets
overlap, and the server
attempting
to reassemble the packet can crash. If the NetScreen sees
this discrepancy in a
fragmented
packet, it drops it.
Filter IP
Source Route Option
IP header
information has an option to contain routing information
that may specify a
different
source than the header source. Enable this option to block
all IP traffic that
employs
the Source Route Option. Source Route Option can allow an
attacker to enter a
network
with a false IP address and have data sent back to his
real address.
|
|
(Side note
I might be back on the job market soon
resume)
|
|
