Siemens 4100 Series User Manual
Page 57
Router User’s Guide
Monitoring Network Health
• LAN Source Address on LAN
An outside device can send a forged source address in an incoming IP packet to block trace back.
• Invalid IP Packet Fragment
An outside device can send fragmented data packets that can bring down your system.
IP packets can
be fairly large in size. If a link between two hosts transporting a packet can only handle smaller
packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments
get to the destination host, they must be reassembled into the original large packet like pieces of a
puzzle. A specially crafted invalid fragment can cause the host to crash
• TCP NULL
An outside device can send an IP packet with the protocol field set to TCP but with an all null TCP
header and data section. If your Router responds to this attack, it will bring down your system.
• TCP FIN
An outside device can send an attack using TCP FIN. This attack never allows a data packet to finish
transmitting and brings down your system.
• TCP XMAS
An outside device can send an attack using TCP packets with all the flags set. This causes your
system to slow to a halt.
• Fragmented TCP Packet
An outside device can send an attack using fragmented packets to allow an outside user Telnet
access to a device on your network.
• Fragmented TCP Header
An outside device can send an attack using TCP packets with only a header and no payload. When
numerous packets are sent through the Router in this manner, your system slows and halts.
• Fragmented UDP Header
An outside device can send an attack using fragmented UDP headers to bring down a device on your
network.
• Fragmented ICMP Header
An outside device can send an attack using fragmented ICMP headers to bring down a device on your
network.
• Inconsistent UDP/IP header lengths
An outside device can send an attack using inconsistent UDP/IP headers to bring down a device on
your network.
• Inconsistent IP header lengths
An outside device can send an attack using changes in the IP header to zero the fragment offset field.
This will be treated as a complete packet when received and cause your system to halt.
54