D-Link Confidential - D-Link DVX-1000 User Manual

Network telephone exchange

Hide thumbs Also See for DVX-1000:

User manual (96 pages)

User manual (40 pages)

Table Of Contents

Table of Contents

DVX-1000 User Manual

22.2.2.9 TCP SYN cookie protection

A SYN Attack is a denial of service (DoS) attack that consumes all the resources

on your machine, forcing you to reboot. Denial of service attacks -attacks which

incapacitate a server due to high traffic volume or ones that tie-up system

resources enough that the server cannot respond to a legitimate connection

request from a remote system) are easily achievable from internal resources or

external connections via extranets and Internet.

The system is protected against TCP SYN attacks.

22.2.2.10 ICMP Redirect Acceptance

An ICMP Redirect tells the recipient system to over-ride something in its routing

table. It is legitimately used by routers to tell hosts that the host is using a non-

optimal or defunct route to a particular destination, i.e. the host is sending it to

the wrong router. The wrong router sends the host back an ICMP Redirect packet

that tells the host what the correct route should be. If the attacker can forge

ICMP Redirect packets, and if the target host pays attention to them, the attacker

can alter the routing tables on the host and possibly subvert the security of the

host by causing traffic to flow via a path the network manager didn't intend. ICMP

Redirects are also employed for denial of service attacks, where a host is sent a

route that loses it connectivity.

For protecting against this, the ICMP redirect is not accepted.

22.2.2.11 Sending ICMP redirect messages

For the same reason as mentioned above, it is not advisable to send ICMP

redirect messages.

22.2.2.12 Connections from IANA-reserved blocks

IANA has generated a list of reserved blocks of IP Address, from/to where the

connection is not allowed.

22.2.2.13 ICMP Source Quench Messages

An ICMP source quench is generated by a gateway or the destination host and

tells the sending end to ease up because it cannot keep up with the speed at

which it's receiving the data. This service is allowed.

22.2.2.14 ICMP Parameter Problem Messages

The ICMP Parameter Problem message is sent to the source host for any problem

not specifically covered by another ICMP message. Receipt of a Parameter

Problem message generally indicates some local or remote implementation error.

These messages are allowed.

22.2.2.15 ICMP Destination Unreachable/Service Unavailable Messages

The Destination Unreachable message is an ICMP message which is generated by

the router to inform the client that the destination host is unreachable, unless the

datagram has a multicast address. Reasons for this message may include the

physical connection to the host does not exist (distance is infinite), the indicated

protocol or port is not active, or the data must be fragmented but the 'don't

fragment' flag is on.This message is allowed.