Large icmp packets, Ping of death attack, Spurious state transition – Enterasys Networks Security Router X-PeditionTM User Manual

General Security Precautions

16-4 Configuring Security on the XSR

Large ICMP Packets

This protection is triggered for ICMP packets larger than a size you can configure. Such packets
are dropped by the XSR if the protection is enabled with the

HostDoS

command.

Ping of Death Attack

This protection is triggered when an ICMP packet is received with the “more fragments” bit set to
0, and ((IP offset * 8) + IP data length) greater than 65535. As the maximum size for an IP datagram
is 65535, this could cause a buffer overflow. The XSR always drops such packets automatically.

Spurious State Transition

Protection against spurious state transition concerns TCP packets with Syn and Fin bits set. This
type of attack occurs when an intruder attempts to stall a network port for a very long time, using
the state transition from state SYN_RCVD to CLOSE_WAIT, by sending a packet with both SYN
and FIN flags set to a host.

The host first processes the SYN flag, generates the ACK packet back, and changes its state to
SYN_RCVD. Then it processes the FIN flag, performs a transition to CLOSE_WAIT, and sends the
ACK packet back.

The attacker does not send any other packet, and the state machine of the host remains in
CLOSE_WAIT state until the keep-alive timer resets it to the CLOSED state. To protect against this
attack the XSR checks for TCP packets with both SYN and FIN flags set. With protection always
enabled, these packets are harmlessly dropped.

This feature is supported for packets destined for the XSR. Transit packets will be checked.

General Security Precautions

To ensure security on the XSR, we recommend you take these precautions:

•

Limit physical access

•

Avoid connecting a modem to the console port

•

Download the latest security patches

•

Retain secured backup copies of device configurations

•

Plan all configuration changes and prepare a back-out procedure if they go wrong

•

Keep track of all configuration changes made to all devices

•

Create a database that tracks the OS version, description of last change, back-out procedure,
and administrative owner of all routers

•

Avoid entering clear text passwords in the configuration script

•

Be sure to change all default passwords

•

Use strong passwords not found in the dictionary

•

Change passwords when the IT staff departs

•

Age passwords after 30 to 60 days

•

Grant the correct privilege levels to particular users only

•

Set reasonable timeouts for console and remote management sessions