beautypg.com

Smurf attack, Land attack, Smurf attack land attack – Allied Telesis AT-S62 User Manual

Page 214

background image

Chapter 16: Denial of Service Defense

Section II: Advanced Operations

214

SMURF Attack

This DoS attack is instigated by an attacker sending a ICMP Echo (Ping)
request containing a broadcast address as the destination address and
the address of the victim as the source of the ICMP Echo (Ping) request.
This overwhelms the victim with a large number of ICMP Echo (Ping)
replies from the other network nodes.

A switch port defends against this form of attack by examining the
destination addresses of ingress ICMP Echo (Ping) request packets and
discarding those that contain a broadcast address as a destination
address.

Implementing this defense requires providing an IP address of a node on
your network and a subnet mask. The switch will use the two to
determine the broadcast address of your network.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without having it negatively
impact switch performance.

Land Attack

In this attack, an attacker sends a bogus IP packet where the source and
destination IP addresses are the same. This leaves the victim thinking
that it is sending a message to itself.

The most direct approach for defending against this form of attack
would be for the AT-S62 management software to check the source and
destination IP addresses in the IP packets, searching for and discarding
those with identical source and destination addresses. But this would
require too much processing by the switch’s CPU, and would adversely
impact switch performance.

Instead, the switch examines the IP packets that are entering or leaving
your network. IP packets generated within your network and containing
a local IP address as the destination address are not allowed to leave the
network, while IP packets generated outside the network but containing
a local IP address as the source address are not allowed into the network.

In order for this defense mechanism to work, you need to specify an
uplink port. This is the port on the switch that is connected to the device,
such as a DSL router, that leads outside your network. You can specify
only one uplink port.

You will also need to specify an IP address of one of your network nodes
and a subnet mask. The management software uses the two to
determine which addresses are local to your network and which are not.

Note

This defense mechanism should only be used if there is a port on the
switch that is connected to a device that leads outside your network.

See also other documents in the category Allied Telesis Computer hardware: