Table of Contents
Advertisement
enough data to flood a large Internet host's connection, a would-be attacker instead "convinces" hundreds
or thousands of other hosts to do it for him. This is called a Distributed Denial of Service (DDoS). Several
viruses can turn a host into a remote-controlled "zombie," although some attacks can simply use a host's
network stack to do the job if it is too trusting. The SpeedStream ADS monitors this behavior.
ADS Configuration Options
The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts
from the WAN:
•
Same Source and Destination Address (a.k.a. Land Attack):
This packet has a spoofed source IP address set to be the same as the destination host and can result in
the DoS or crash of the local host. When the receiving host tries to respond to the source address in
the packet, it ends up just sending it back to itself. This packet could ping-pong back and forth over
200 times (consuming CPU resources) before being discarded.
•
Broadcast Source Address (a.k.a. Smurf or Fraggle Attack):
This packet has a spoofed source IP address set to the "broadcast" address. Most hosts only accept
packets destined for their own IP address, but there are a couple of special IP address called broadcast
addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a
packet's source address, however, because a packet has to come from a host. If a network stack does
respond to a packet with a broadcast source address, the response will be sent to the broadcast address
on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would
then respond back to the host flooding it with data, possibly making inaccessible to other users.
•
LAN Source Address On WAN:
This packet has a spoofed source address set to be a typical trusted LAN address. One method of
separating a LAN from a WAN is by using NAPT. This allows the LAN to use IP addresses that are
normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN attacks. A
packet with a LAN source address coming from the WAN is attempting to masquerade as a LAN
packet so that it might be trusted by a LAN host and received.
•
Invalid IP Packet Fragment (a.k.a. Ping of Death):
IP packets can be large. If a link between two hosts transporting a packet can only handle smaller
packets, the large packet may be split (or fragmented) into smaller ones. When the packet fragments
get to the destination host, they must be reassembled into the original large packet like pieces of a
puzzle. If each stage of reassembly is not carefully checked by the receiving host's network stack, a
specially crafted invalid fragment can cause the host to crash.
•
TCP NULL Flags:
The TCP header contains a set of "flags" that indicate information about the packet which is used by
receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet,
none was. This packet can cause some hosts to crash.
•
TCP FIN Flag:
The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to
crash.
SpeedStream Router User Guide
75
Hide quick links:
Advertisement
Table of Contents
