beautypg.com

Teardrop attack, Ping of death attack, Teardrop attack ping of death attack – Allied Telesis AT-S62 User Manual

Page 337

background image

AT-S62 Management Software Menus Interface User’s Guide

Section II: Advanced Operations

337

Teardrop Attack

An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
The victim is unable to reassemble the packet, possibly causing it to
freeze operations.

The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset values.

If one is found, the following occurs:

ˆ

The switch sends a SNMP trap to the management workstations.

ˆ

The switch port discards the fragment with the invalid offset and, for a
one minute period, discards all ingress fragmented IP traffic.

Because the CPU only samples the ingress IP traffic, this defense
mechanism may catch some, though not necessarily all of this form of
attack.

Caution

This defense is extremely CPU intensive; use with caution.
Unrestricted use can overwhelm the switch’s CPU with IP traffic,
causing the unit to halt operations. Even restricted use can impact
the switch’s handling of CPU events, such as the processing of
IGMP packets and spanning tree BPDUs.To prevent this, Allied
Telesyn recommends activating this defense on only one switch port
at a time.

Ping of Death

Attack

The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.

To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is, the
fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:

ˆ

The switch sends a SNMP trap to the management workstations.

ˆ

The switch port discards the fragment and, for one minute, discards all
fragmented ingress ICMP Echo (Ping) requests.

See also other documents in the category Allied Telesis Computer hardware: