Scanning attack, Flood attack – H3C Technologies H3C SecBlade LB Cards User Manual

212

Single-packet attack Description

Large ICMP

For some hosts and devices, large ICMP packets cause memory allocation error and
thus crash down the protocol stack. A large ICMP attacker sends large ICMP packets
to a target to make it crash down.

Route Record

An attacker exploits the route record option in the IP header to probe the topology of
a network.

Smurf

An attacker sends an ICMP echo request to the broadcast address or the network
address of the target network. As a result, all hosts on the target network reply to the

request, causing the network congested and hosts on the target network unable to

provide services.

Source Route

An attacker exploits the source route option in the IP header to probe the topology of
a network.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flag
attacker sends TCP packets with such TCP flags to a target host to probe its operating

system. If the operating system cannot process such packets properly, the attacker
successfully makes the host crash down.

Tracert

An attacker exploits the Tracert program to probe the network topology.
The Tracert program sends batches of UDP packets with a large destination port
number and an increasing TTL (starting from 1). The TTL of a packet is decreased by

1 when the packet passes each router. Upon receiving a packet with a TTL of 0, a

router must send an ICMP time exceeded message back to the source IP address of the
packet. The Tracert program uses these returning packets to figure out the hosts that

the packets have traversed from the source to the destination.

WinNuke

An attacker sends Out-of-Band (OOB) data with the pointer field values overlapped to
the NetBIOS port (139) of a Windows system with an established connection to

introduce a NetBIOS fragment overlap, causing the system to crash.

Scanning attack

An attacker uses some scanning tools to scan host addresses and ports in a network, so as to find
possible targets and the services enabled on the targets and figure out the network topology, preparing

for further attacks to the target hosts.
Scanning detection detects scanning attempts by tracking the rates at which connections are initiated to

protected systems. Usually, it is deployed on the device for the external security zone and takes effect for
packets from the security zone.
If detecting that a connection rate of an IP address has reached or exceeded the threshold, the device

outputs an attack alarm log, and it can blacklist the IP address depending on your configuration.

Subsequent connection requests from the blacklisted IP address are dropped.

Flood attack

An attacker sends a large number of forged requests to the targets in a short time, so that the target

systems is too busy to provide services for legal users, resulting in denial of services.
The device can effectively defend against the following types of flood attacks:

•

SYN flood attack
Because of the limited resources, the TCP/IP stack permits only a limited number of TCP
connections. An attacker sends a great quantity of SYN packets to a target server, using a forged

address as the source address. After receiving the SYN packets, the server replies with SYN ACK
packets. As the destination address of the SYN ACK packets is unreachable, the server can never