Smurf attack, Land attack, Smurf attack land attack – Allied Telesis AT-S62 User Manual

AT-S62 Management Software Menus Interface User’s Guide

Section II: Advanced Operations

335

SMURF Attack

This DoS attack is instigated by an attacker sending a ICMP Echo (Ping)
request containing a broadcast address as the destination address and
the address of the victim as the source of the ICMP Echo (Ping) request.
This overwhelms the victim with a large number of ICMP Echo (Ping)
replies from the other network nodes.

A switch port defends against this form of attack by examining the
destination addresses of ingress ICMP Echo (Ping) request packets and
discarding those that contain a broadcast address as a destination
address.

Implementing this defense requires providing an IP address of a node on
your network and a subnet mask. The switch uses the two to determine
the broadcast address of your network.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.

Land Attack

In this attack, an attacker sends a bogus IP packet where the source and
destination IP addresses are the same. This leaves the victim thinking that
it is sending a message to itself.

The most direct approach for defending against this form of attack would
be for the AT-S62 management software to check the source and
destination IP addresses in the IP packets, searching for and discarding
those with identical source and destination addresses. But this would
require too much processing by the switch’s CPU, and could adversely
impact switch performance.

Instead, the switch examines the IP packets that are entering and leaving
your network. IP packets generated within your network and containing a
local IP address as the destination address are not allowed to leave the
network, and IP packets generated outside the network but containing a
local IP address as the source address are not allowed into the network.

In order for this defense mechanism to work, you need to specify an uplink
port. This is the port on the switch that is connected to a device that leads
outside your network, such as a DSL router. You can specify only one
uplink port.

You also need to enter the IP address of one of your network devices as
well as a mask which the switch uses to differentiate between the network
portion and node portion of the address. The switch uses the IP address
and mask to determine which IP addresses are local to your network and
which are from outside you network.

The following is a overview of how the process takes place. This example
assumes that you have activated the feature on port 4, which is connected
to a device local to your network, and specified port 1 as the uplink port,