Cisco 350 Series Administration Manual page 510

Security
Denial of Service Prevention
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
• TCP SYN-FIN Packets—SYN packets are sent to create a new TCP connection. TCP
FIN packets are sent to close a connection. A packet in which both SYN and FIN flags
are set should never exist. Therefore these packets might signify an attack on the
device and should be blocked.
• Martian Addresses—Martian addresses are illegal from the point of view of the IP
protocol. See Martian Addresses
• ICMP Attack—Sending malformed ICMP packets or overwhelming number of ICMP
packets to the victim that might lead to a system crash.
• IP Fragmentation—Mangled IP fragments with overlapping, over-sized payloads are
sent to the device. This can crash various operating systems due to a bug in their TCP/
IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT
operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are
vulnerable to this attack.
• Stacheldraht Distribution—The attacker uses a client program to connect to
handlers, which are compromised systems that issue commands to zombie agents,
which in turn facilitate the DoS attack. Agents are compromised via the handlers by
the attacker.
Using automated routines to exploit vulnerabilities in programs that accept remote
connections running on the targeted remote hosts. Each handler can control up to a
thousand agents.
• Invasor Trojan—A trojan enables the attacker to download a zombie agent (or the
trojan may contain one). Attackers can also break into systems using automated tools
that exploit flaws in programs that listen for connections from remote hosts. This
scenario primarily concerns the device when it serves as a server on the web.
• Back OrifaceTrojan—This is a variation of a trojan that uses Back Oriface software
to implant the trojan.
Defense Against DoS Attacks
The Denial of Service (DoS) Prevention feature assists the system administrator in resisting
such attacks in the following ways:
• Enable TCP SYN protection. If this feature is enabled, reports are issued when a SYN
packet attack is identified, and the attacked port can be temporarily shut-down. A SYN
attack is identified if the number of SYN packets per second exceeds a user-configured
threshold.
• Block SYN-FIN packets.
for more details.
17
367