H3C Technologies H3C SecPath F1000-E User Manual
Page 51
43
Field Description
Scan
A scanning attack probes the addresses and ports on a network to identify the hosts
attached to the network and application ports available on the hosts and to figure out
the topology of the network, so as to get ready further attacks.
Source Route
A source route attack exploits the source route option in the IP header to probe the
topology of a network.
Smurf
A Smurf attacker sends large quantities of ICMP echo requests to the broadcast
address of the target network. As a result, all hosts on the target network will reply to
the requests, causing the network congested and hosts on the target network unable to
provide services.
TCP Flag
Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating
system. If the operating system cannot process such packets properly, the attacker will
successfully make the host crash down.
Tracert
The Tracert program usually sends UDP packets with a large destination port number
and an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the
packet passes each router. Upon receiving a packet with a TTL of 0, a router must send
an ICMP time exceeded message back to the source IP address of the packet. A Tracert
attacker exploits the Tracert program to figure out the network topology.
WinNuke
A WinNuke attacker sends out-of-band (OOB) data with the pointer field values
overlapped to the NetBIOS port (139) of a Windows system with an established
connection to introduce a NetBIOS fragment overlap, causing the system to crash.
SYN Flood
A SYN flood attack exploits TCP SYN packets. Due to resource limitation, the number
of TCP connections that can be created on a device is limited. A SYN flood attacker
sends a barrage of spurious SYN packets to a victim to initiate TCP connections. As the
SYN_ACK packets that the victim sends in response can never get acknowledgments,
large amounts of half-open connections are created and retained on the victim, making
the victim inaccessible before the number of half-open connections drops to a
reasonable level due to timeout of half-open connections. In this way, a SYN flood
attack exhausts system resources such as memory on a system whose implementation
does not limit creation of connections.
ICMP Flood
An ICMP flood attack overwhelms the victim with an enormous number of ICMP echo
requests (such as ping packets) in a short period, preventing the victim from providing
services correctly.
UDP Flood
A UDP flood attack overwhelms the victim with an enormous number of UDP packets in
a short period, disabling the victim from providing services correctly.
DNS Flood
A DNS flood attack overwhelms the victim with an enormous number of DNS query
requests in a short period, disabling the victim from providing services correctly.
Number of
connections per
source IP exceeds the
threshold
When an internal user initiates a large number of connections to a host on the external
network in a short period of time, system resources on the device will be used up soon.
This will make the device unable to service other users.
Number of
connections per dest
IP exceeds the
threshold
If an internal server receives large quantities of connection requests in a short period of
time, the server will not be able to process normal connection requests from other hosts.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS