H3C Technologies H3C MSR 50 User Manual

168

Table 95 Types of single-packet attacks

Single-packet attack Description

Fraggle

A Fraggle attacker sends large amounts of UDP echo packets (with the UDP port
number of 7) or Chargen packets (with the UDP port number of 19) to a subnet
broadcast address. This will cause a large quantity of responses in the network, using

up the network bandwidth of the subnet or crashing the target host.

LAND

A LAND attacker forges large amounts of TCP SYN packets with both the source
address and destination address being the IP address of the target, causing the target

to send SYN ACK messages to itself and establish half-open connections as a result.
In this way, the attacker depletes the half-open connection resources of the target,

making it unable to work correctly.

WinNuke

A WinNuke attacker sends Out-of-Band (OOB) data packets to the NetBIOS port
(139) of a target running a Windows system. The pointer fields of these attack packets

are overlapped, resulting in NetBIOS fragment overlaps. This will cause the target
host that has established TCP connections with other hosts to crash when it processes

these NetBIOS fragments.

TCP Flag

Different operating systems process abnormal TCP flags differently. The attacker
sends TCP packets with abnormal TCP flags to the target host to probe its operating

system. If the operating system cannot process such packets correctly, the host will
crash down.

ICMP Unreachable

Upon receiving an ICMP unreachable packet, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the
destination. By sending ICMP unreachable packets, an attacker can cut off the

connection between the target host and the network.

ICMP Redirect

An ICMP Redirect attacker sends ICMP redirect messages to hosts on a subnet to
request the hosts to change their routing tables, interfering with the normal forwarding

of IP packets.

Tracert

The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when
the packet passes each router. Upon receiving a packet with a TTL of 0, a router sends

an ICMP time exceeded message back to the source IP address of the packet. A

Tracert attacker exploits the Tracert program to figure out the network topology.

Smurf

A Smurf attacker sends ICMP echo requests to the broadcast address of the target
network. As a result, all hosts on the target network will reply to the requests, causing
the network congested and hosts on the target network unable to provide services.

Source Route

A Source Route attacker probes the network structure through the Source Route option
in IP packets.

Route Record

A Route Record attacker probes the network structure through the Record Route option
in IP packets.

Large ICMP

For some hosts and devices, large ICMP packets will cause memory allocation error
and thus crash down the protocol stack. An attacker can make a target crash down by
sending large ICMP packets to it.

The single-packet attack protection function takes effect to only incoming packets. It analyzes the

characteristics of incoming packets to determine whether the packets are offensive and, if they are

offensive, logs the events and discards the packets. For example, if the length of an ICMP packet reaches
or exceeds 4000 bytes, the device considers the packet a large ICMP attack packet, outputs a warning

log, and discards the packet.