Ping of death attack, Ip options attack, Ping of death attack ip options attack – Allied Telesis AT-S63 User Manual
Page 291

AT-S63 Management Software Menus Interface User’s Guide
Section II: Advanced Operations
291
The switch port discards the fragment with the invalid offset and, for a 
one minute period, discards all ingress fragmented IP traffic.
Because the CPU only samples the ingress IP traffic, this defense 
mechanism may catch some, though not necessarily all, of this form of 
attack.
Caution
This defense is extremely CPU intensive; use with caution. 
Unrestricted use can cause a switch to halt operations if the CPU 
becomes overwhelmed with IP traffic. To prevent this, Allied Telesyn 
recommends activating this defense on only the uplink port and one 
other switch port at a time.
Ping of Death
Attack
The attacker sends an oversized, fragmented ICMP Echo (Ping) request 
(greater than 65,535 bits) to the victim, which, if lacking a policy for 
handling oversized packets, may freeze.
To defend against this form of attack, a switch port searches for the last 
fragment of a fragmented ICMP Echo (Ping) request and examines its 
offset to determine if the packet size is greater than 63,488 bits. If it is, the 
fragment is forwarded to the switch’s CPU for final packet size 
determination. If the switch determines that the packet is oversized, the 
following occurs:
The switch sends an SNMP trap to the management stations.
The switch port discards the fragment and, for one minute, discards all 
fragmented ingress ICMP Echo (Ping) requests.
Note
This defense mechanism requires some involvement by the switch’s 
CPU, though not as much as the Teardrop defense. This does not 
impact the forwarding of traffic between the switch ports, but it can 
affect the handling of CPU events, such as the processing of IGMP 
packets and spanning tree BPDUs. For this reason, Allied Telesyn 
recommends limiting the use of this defense, activating it only on 
those ports where an attack is most likely to originate.
Also note that an attacker can circumvent the defense by sending a 
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits. 
A large number of requests could overwhelm the switch’s CPU.
IP Options
Attack
In the basic scenario of an IP attack, an attacker sends packets containing 
bad IP options. There are several types of IP option attacks and the 
AT-S63 management software does not distinguish between them.
Rather, the defense mechanism counts the number of ingress IP packets
