Packet inspection configuration, Overview – H3C Technologies H3C SecPath F1000-E User Manual

1

Packet Inspection Configuration

Overview

Single-packet attack is also called malformed packet attack. A single-packet attack occurs when:

•

An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system, making the target system malfunction or crash when processing such
packets.

•

An attacker sends large quantities of junk packets to the network, using up the network bandwidth.

With packet inspection configured, the device analyzes the characteristics of received packets to

determine whether the packets are attack packets. Upon detecting an attack, the device logs the event

and, when configured, discards the attack packets.
The device supports detection of the following types of single packet attacks.

Table 1 Types of single packet attacks

Attack type

Description

Fraggle

A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with
the UDP port number being 7 or Chargen packets with the UDP port number being 19,

resulting in a large quantity of junk replies and finally exhausting the bandwidth of the
target network.

Land

A Land attack occurs when an attacker sends a great number of TCP SYN packets with
both the source and destination IP addresses being the IP address of the target, exhausting

the half-open resources of the victim and thereby making the target unable to provide
services normally.

WinNuke

A WinNuke attacker sends out-of-band (OOB) data with the pointer field values
overlapped to the NetBIOS port (139) of a Windows system with an established

connection to introduce a NetBIOS fragment overlap, causing the system to crash.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target to probe its operating system. If

the operating system cannot process such packets properly, the attacker will successfully
make the host crash down.

ICMP
unreachable

Upon receiving an ICMP unreachable response, some systems conclude that the
destination is unreachable and drop all subsequent packets destined for the destination. By

sending ICMP unreachable packets, an ICMP unreachable attacker can cut off the

connection between the target host and the network.

ICMP redirect

An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing
table, interfering with the normal forwarding of IP packets.

Tracert

The Tracert program usually sends UDP packets with a large destination port number and
an increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet
passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP

time exceeded message back to the source IP address of the packet. A Tracert attacker

exploits the Tracert program to figure out the network topology.