beautypg.com

Ping of death attack – Allied Telesis AT-S62 User Manual

Page 313

background image

AT-S62 Menus Interface User’s Guide

Section II: Advanced Operations

313

The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset
values.

If one is found, the following occurs:

❑ The switch sends a SNMP trap to the management workstations.

❑ The switch port discards the fragment with the invalid offset and,

for a one minute period, discards all ingress fragmented IP traffic.

Because the CPU only samples the ingress IP traffic, this defense
mechanism may catch some, though not necessarily, all of this form of
attack.

Caution

This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations should the
CPU become overwhelmed with IP traffic. To prevent this, Allied
Telesyn recommends activating this defense on only one switch
port at a time.

Ping of Death

Attack

The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.

To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is,
the fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:

❑ The switch sends a SNMP trap to the management workstations.

❑ The switch port discards the fragment and, for one minute,

discards all fragmented ingress ICMP Echo (Ping) requests.

Note

This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This will not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesyn
recommends limiting the use of this defense, activating it only on
those ports where an attack is most likely to originate.

See also other documents in the category Allied Telesis Computer hardware: