ZyXEL Communications Vantage CNM 2.0 User Manual page 139

4. IP Spoofing.
1. "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various
computer and host systems.
Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65,536 bytes of
data allowed by the IP specification. The oversize packet is then sent to an unsuspecting system.
Systems may crash, hang or reboot.
Teardrop attack exploits weaknesses in the reassembly of IP packet fragments. As data is transmitted
through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the
original IP packet except that it contains an offset field that says, for instance, "This fragment is
carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program
creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at
the destination, some systems will crash, hang, or reboot.
2. Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These
attacks are executed during the handshake that initiates a communication session between two
applications.
Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet
to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN,
and then the initiator responds with an ACK (acknowledgment). After this handshake, a connection is
established.
SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted
system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the
SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which
is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system
will ignore all incoming SYN requests, making the system unavailable for legitimate users.
In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of
the targeted system. This makes it appear as if the host computer sent the packets to itself, making the
system unavailable while the target system tries to respond to itself.
3. A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as
directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker
floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the
destination IP address of each packet is the broadcast address of the network, the router will broadcast
the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a
large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP
address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the
"intermediary" network, but will also congest the network of the spoofed source IP address, known as
the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making
communications impossible.
ICMP Vulnerability
ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an
alert:
Configuration > Firewall
Table 12-2 ICMP Commands That Trigger Alerts
5 REDIRECT
13 TIMESTAMP_REQUEST
14 TIMESTAMP_REPLY
17 ADDRESS_MASK_REQUEST
Vantage CNM 2.0
12-3