Ip options attack, Denial of service defense guidelines – Allied Telesis AT-S62 User Manual

Chapter 19: Denial of Service Defense

Section II: Advanced Operations

314

Also note that an attacker can circumvent the defense by sending a
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits.
A large number of requests could overwhelm the switch’s CPU.

IP Options Attack

In the basic scenario of an IP attack, an attacker sends packets containing
bad IP options. There are several different types of IP option attacks and
the AT-S62 management software does not distinguish between them.

The defense mechanism counts the number of ingress IP packets
containing IP options received on a port. If the number exceeds 20
packets per second, the switch considers this a possible IP options attack
and does the following occurs:

❑ It sends a SNMP trap to the management workstations.

❑ The switch port discards all ingress packets containing IP options

for one minute.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.

Note

This defense does not actually check IP packets for bad IP options.
Consequently, it can only alert you to a possible attack.

Denial of Service

Defense

Guidelines

Below are guidelines to observe when using this feature:

❑ A switch port can support more than one DoS defense at a time.

❑ The Teardrop and the Ping of Death defenses are CPU intensive.

Use these defenses with caution.

❑ Some defenses allow you to specify a mirror port where offending

traffic is copied.

Note

For the AT-8550GB and AT-8550SP switches, there can be only one
mirror port per defense. For example, all ports using the IP Options
defense must share the same mirror port.