Configuring packet inspection, Overview – H3C Technologies H3C SecPath F1000-E User Manual
Page 14

6
Configuring packet inspection
The packet inspection configuration is available only in the Web interface.
Overview
A single-packet attack, or malformed packet attack, occurs when either of the following events occurs:
•
An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system, making the target system malfunction or crash when processing such
packets.
•
An attacker sends large quantities of junk packets to the network, using up the network bandwidth.
With packet inspection configured, the firewall analyzes the characteristics of received packets to
determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event
and, when configured, discards the attack packets.
The firewall supports detection of the following types of single packet attacks.
Table 3 Types of single packet attacks
Attack type
Description
Fraggle
A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with
the UDP port number being 7 or Chargen packets with the UDP port number being 19,
resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target
network.
Land
A Land attack occurs when an attacker sends a great number of TCP SYN packets with both
the source and destination IP addresses being the IP address of the target, exhausting the
half-open resources of the victim and disabling the target from providing services correctly.
WinNuke
A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped
to the NetBIOS port (139) of a Windows system with an established connection to introduce
a NetBIOS fragment overlap, causing the system to crash.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag attacker
sends TCP packets with such TCP flags to a target to probe its operating system. If the
operating system cannot process such packets properly, the attacker will successfully make
the host crash down.
ICMP
unreachable
Upon receiving an ICMP unreachable response, some systems conclude that the destination
is unreachable and drop all subsequent packets destined for the destination. By sending
ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection
between the target host and the network.
ICMP redirect
An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing
table, interfering with the normal forwarding of IP packets.
Tracert
The Tracert program usually sends UDP packets with a large destination port number and an
increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet
passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP
time exceeded message back to the source IP address of the packet. A Tracert attacker
exploits the Tracert program to figure out the network topology.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS