Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
ICMP and UDP Flood Attack
ICMP and UDP Flood attacks send a large number of ICMP packets (such as ping packets) and
UDP packets to the target host in a short time and request responses. The host is then overloaded
and cannot process valid tasks.
IP Sweeping and Port Scanning Attack
IP address sweeping and port scanning attacks detect the IP addresses and ports of the target
hosts by using scanning tools. The attacker then determines the hosts that exist on the target
network according to the response. The attacker can then find the ports that provide services.
Ping of Death Attack
The Ping of Death attacks a system by sending oversized ICMP packets. The length field of an
IP packet is 16 bits, indicating that the maximum length of an IP packet is 65535. If the data
field of an ICMP Echo Request packet is longer than 65507, the length of the ICMP Echo Request
packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is greater than 65535. Upon
receiving the packet, routers or systems will crash, stop responding, or restart due to improper
processing of the packet.
ICMP-Redirect and ICMP-Unreachable Attack
A network device sends an ICMP-redirect packet to hosts on the same subnet, requesting the
hosts to change a route. However, some malicious attackers cross a network segment and send
a fraudulent ICMP-redirect packet to the hosts of another network. In this way, the attackers
change the routing table of the hosts, interfering with normal IP packet forwarding of the hosts.
Another type of attack sends an ICMP-unreachable packet. After receiving the ICMP-
unreachable packets of a network (code is 0) or a host (code is 1), some systems consider the
subsequent packets sent to this destination as unreachable. The systems then disconnect the
destination from the host.
Teardrop Attack
The More Fragment (MF) bit, offset field, and length field in an IP packet indicate the segment
of the original packet contained in this fragment. Some systems running TCP/IP may stop
running when receiving a forged fragment containing an overlap offset. The Teardrop attack
uses the flaw of some systems that do not check the validity of fragment information.
Fraggle Attack
After receiving UDP packets, port 7 (ECHO) and port 19 (Chargen) can return responses. Port
7 responds to the received packets with ICMP Echo Reply, whereas port 19 responds with a
generated character string. Similar to the ICMP packet attack, the two UDP ports generate many
invalid response packets, which occupy the network bandwidth.
The attacker can send a UDP packet to the destination network. The source address of the UDP
packet is the IP address of the host to be attacked and its destination address is the broadcast
address or network address of the host's subnet. The destination port number of the packet is 7
or 19. Then, all the systems enabled with this function return packets to the target host. In this
case, the high traffic volume blocks the network or the host stops responding. In addition, the
systems without this function generate ICMP-unreachable packets, which also consume
Issue 01 (2012-03-15)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
33
Advertisement
Table of Contents
