Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 702

Network and Security Manager Administration Guide
652
Table 58: Attack Counters (continued)
Item Description
SYN Attack SYN packets overwhelm a network by initiating so many connection attempts
or information requests that the network can no longer process legitimate
connection requests, resulting in a Denial of Service.
Tear Drop When the first and second parts of a fragmented packet overlap, the server
attempting to reassemble the packet can crash. If the security device sees
this discrepancy in a fragmented packet, it drops the packet.
Source Route This option applies in an IP header and allows an attacker to enter a network
with a false IP address and have data sent back to the attacker's real address.
Ping of Death Intentionally oversized or irregular ICMP packets can trigger a Denial of
Service condition, freezing, or other adverse system reactions. You can
configure a security device to detect and reject oversized or irregular packet
sizes.
Address Spoofing You can enable a security device to guard against spoofing attacks by
checking its own route table. If the IP address is not in the route table, traffic
through the security device is not allowed.
Land Attack Combining a SYN attack with IP spoofing, a Land attack occurs when an
attacker sends spoofed SYN packets containing the IP address of the victim
as both the destination and source IP address. This creates an empty
connection. Flooding a system with such empty connections can overwhelm
the system, causing a Denial of Service. Security devices automatically block
any attempt of this nature and records such attempts as a Land attack.
ICMP Flood ICMP pings can overload a system with so many echo requests that the
system expends all its resources responding until it can no longer process
valid network traffic. If you set a threshold to invoke ICMP flood attack
protection when exceeded, ICMP flood attacks are recorded as statistics.
UDP Flood Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent
with the purpose of slowing down the system to the point that it can no
longer handle valid connections. After enabling the UDP flood protection
feature, you can set a threshold that once exceeded invokes the UDP flood
attack protection feature. (The default threshold value is 1000 packets per
second.) If the threshold is exceeded, the security device ignores further UDP
packets for the remainder of that second.
WinNuke WinNuke can cause any computer on the Internet running Windows to crash.
WinNuke introduces a NetBIOS anomaly that forces Windows to restart.
Security devices can scan any incoming Microsoft NetBIOS Session Service
packets, modify them, and record the event as a WinNuke attack.
Port Scan Port scan attacks occur when packets are sent with different port numbers
with the purpose of scanning the available services in hopes that one port
will respond. The security device internally logs the number of different ports
scanned from one remote source. If a remote host scans 10 ports in 0.3
seconds, the device flags this as a port scan attack, and rejects further
packets from the remote source.
Copyright © 2010, Juniper Networks, Inc.