Configuring Zones; Establishing The Configuration Task - Huawei quidway s7700 Configuration Manual

Quidway S7700 Smart Routing Switch
Configuration Guide - SPU
running when receiving a forged fragment containing an overlap offset. The Teardrop attack
uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving the UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses.
Port 7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with
a generated character string. Similar to the ICMP packet attack, the two UDP ports generate
many invalid response packets, which occupy the network bandwidth.
The attacker can send a UDP packet to the destination network. The source address of the UDP
packet is the IP address of the host to be attacked and its destination address is the broadcast
address or network address of the host's subnet. The destination port number of the packet is 7
or 19. Then, all the systems enabled with this function return packets to the target host. In this
case, the high traffic volume blocks the network or the host stops responding. In addition, the
systems without this function generate ICMP-unreachable packets, which also consume
bandwidth. If the source port is changed to Chargen and destination port is changed to ECHO,
the systems generate response packets continuously and cause serious damage.
IP-Fragment Attack
In an IP packet, some fields are relevant to flag bits and fragment, including Fragment Offset,
Length, Don't Fragment (DF), and MF.
If the previous fields conflict and are not processed appropriately, the equipment may stop
running. In the following cases, the fields conflict:
l
l
In addition, the device must directly discard the fragment packet with the destination as itself.
This is because more fragments results in heavy load in packet caching and assembling.
Tracert Attack
Tracert attack traces the path of an ICMP timeout packet returned when the value of Time To
Live (TTL) becomes 0 and an ICMP port-unreachable packet. In this way, the attacker can know
the network architecture.

2.3 Configuring Zones

All the security policies of the firewall are enforced based on zones.

2.3.1 Establishing the Configuration Task

Before configuring a zone, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data.
Applicable Environment
Before configuring a firewall, you need to configure zones. Then you can configure the firewall
based on zones or interzones.
Issue 01 (2011-07-15)
DF bit and MF bit are set at the same time or fragment offset is not 0.
The value of DF is 0, but the total values of Fragment Offset and Length is larger than
65535.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
34