beautypg.com

Teardrop attack – Allied Telesis AT-S62 User Manual

Page 215

background image

AT-S62 User’s Guide

Section II: Advanced Operations

215

Here is a overview of how the process takes place. This example assumes
that you have activated the feature on port 4 and that you have
specified port 1 as the uplink port. The steps below review what
happens when an ingress IP packet arrives on port 4:

1. When port 4 receives an ingress IP packet with a destination MAC

address learned on uplink port 1, it examines the packet’s destination
IP addresses before forwarding the packet.

2. If the destination IP address is local to the network, port 4 does not

forward the packet to uplink port 1 because the port assumes that
there is no reason for the packet to leave the network. Instead, it
discards the packet.

3. If the destination IP address is not local to the network, port 4

forwards the packet to uplink port 1.

Here is a review of how the process takes place when an ingress IP
packet arrives on uplink port 1 that is destined for port 4:

1. When uplink port 1 receives an ingress IP packet with a destination

MAC address that was learned on port 4, it examines the packet’s
source IP address before forwarding the packet.

2. If the source IP address is local to the network, uplink port 1 does not

forward the packet to port 4 because it assumes that a packet with a
source IP address that is local to the network should not be entering
the network from outside the network.

3. If the source IP address is not local to the network, port 1 forwards the

packet to port 4.

Here are some guidelines to using this defense:

❑ If you choose to use it, Allied Telesyn recommends activating it on

all ports on the switch, including the uplink port.

❑ You can specify only one uplink port.

This form of defense is not CPU intensive. Activating it on all ports
should not affect switch behavior.

Teardrop Attack

An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
The victim is unable to reassemble the packet, possibly causing it to
freeze operations.

The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset
values.

See also other documents in the category Allied Telesis Computer hardware: