beautypg.com

Table 10, D in – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 100

background image

88

Brocade Virtual ADX Security Guide

53-1003250-01

DDoS protection

5

The log parameter directs the Brocade Virtual ADX to log traffic on the bound interface that
matches the rule specified by the configured rule-name. The no-log parameter disables this
function.

The drop parameter directs the Brocade Virtual ADX to drop traffic on the bound interface that
matches the rule specified by the configured rule-name. The no-drop parameter disables this
function.

TABLE 10

Rules for common attack types and descriptions

Attack Type

Description

syn-fragments

A SYN-fragment attack floods the target host with SYN-packet fragments. The
host stores the fragments, in order to reassemble them. By not completing
the connection, and flooding the server or host with such fragmented SYN
packets, the host memory buffer would eventually fill up.
A SYN packet need not be fragmented. It is very small. Use syn-fragments to
drop any SYN packet with the more-fragments bit on.

syn-and-fin-set

Attacker sends a packet with both SYN and FIN bits set to see what kind of
system reply is returned, and then use the system information for further
attacks using known system vulnerabilities.
Use syn-and-fin-set to drop packets having both the SYN and FIN bits set in
the flags field

tcp-no-flags

TCP packets are normally sent with at least one bit set in the flags field.
Use tcp-no-flags to drop TCP packet with a missing or malformed flags field.

icmp-fragments

ICMP fragments can be used to exploit the vulnerabilities in the packet
reassembly code. Enabling icmp-fragments allows you to create a rule that
can be configured to drop or log fragmented ICMP packets.

deny-all-fragments

IP fragments can be used to exploit the vulnerabilities in the packet
reassembly code of specific IP stack implementations. When you enable
deny-all-fragments, the Brocade Virtual ADX drops all IP fragments.

land-attack

Attacker sends spoofed SYN packets containing the destination IP as the
source-IP address. Flooding a system with such empty connections can
overwhelm the system, causing DoS.
Use land-attack to drop packets containing the same IP address as both the
source and destination IP addresses.

ping-of-death

If the sum of "Fragment Offset" and "Total length" fields in the IP header of
each IP fragment is larger than 65,535, then the packet is invalid, and such
packet will be dropped.

fin-with-no-ack

TCP packets with a FIN flag normally have an ACK bit set.
Use fin-with-no-ack to drop TCP packet where FIN flag is set, but the ACK bit is
not set.

large icmp

ICMP packets greater than 1500 bytes.

unknown-ip-protocol value

Protocol 101 and above are currently reserved and undefined. Attackers
sometimes use protocol values that are not valid protocols.
Use unknown-ip-protocol value to drop packets where protocol field is set to
101 or greater. Replace the value with the actual protocol number. If the
Brocade Virtual ADX gets an IP protocol packet matching that number, the
packet will be dropped.

See also other documents in the category Brocade Computer Accessories: