Scanning Attacks - HP FlexNetwork 10500 Series Security Configuration Manual

Single-packet attack
IP options
IP fragment
IP impossible packet
Tiny fragment
Smurf
TCP flag
Traceroute
WinNuke
UDP bomb
UDP Snork
UDP Fraggle
Teardrop
Ping of death

Scanning attacks

Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows
the attacker to find a way into the target network and to disguise the attacker's identity.
Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that
are running on the hosts. Attackers can use the information to launch attacks.
Description
An attacker sends IP datagrams in which the IP options are abnormal. This
attack intends to probe the network topology. The target system will break
down if it is incapable of processing error packets.
An attacker sends the victim an IP datagram with an offset smaller than 5,
which causes the victim to malfunction or crash.
An attacker sends IP packets whose source IP address is the same as the
destination IP address, which causes the victim to malfunction.
An attacker makes the fragment size small enough to force Layer 4 header
fields into the second fragment. These fragments can pass the packet
filtering because they do not hit any match.
An attacker broadcasts an ICMP echo request to target networks. These
requests contain the victim's IP address as the source IP address. Every
receiver on the target networks will send an ICMP echo reply to the victim.
The victim will be flooded with replies, and will be unable to provide
services. Network congestion might occur.
An attacker sends packets with defective TCP flags to probe the operating
system of the target host. Different operating systems process
unconventional TCP flags differently. The target system will break down if
it processes this type of packets incorrectly.
An attacker uses traceroute tools to probe the topology of the victim
network.
An attacker sends Out-Of-Band (OOB) data to the TCP port 139
(NetBIOS) on the victim that runs Windows system. The malicious packets
contain an illegal Urgent Pointer, which causes the victim's operating
system to crash.
An attacker sends a malformed UDP packet. The length value in the IP
header is larger than the IP header length plus the length value in the UDP
header. When the target system processes the packet, a buffer overflow
can occur, which causes a system crash.
An attacker sends a UDP packet with destination port 135 (the Microsoft
location service) and source port 135, 7, or 19. This attack causes an NT
system to exhaust its CPU.
An attacker sends a large number of chargen packets with source UDP
port 7 and destination UDP port 19 to a network. These packets use the
victim's IP address as the source IP address. Replies will flood the victim,
resulting in DoS.
An attacker sends a stream of overlapping fragments. The victim will crash
when it tries to reassemble the overlapping fragments.
An attacker sends the victim an ICMP echo request larger than 65535
bytes that violates the IP protocol. When the victim reassembles the
packet, a buffer overflow can occur, which causes a system crash.
469