Table of Contents
Advertisement
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service "smurf" attacks. In a smurf attack, a continu-
ous stream of ping requests is sent from a falsified source address to a directed broadcast address, result-
ing in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts must not be enabled.
Use the
ip directed-broadcast
-> ip directed-broadcast off
Use the
show ip config
Denial of Service (DoS) Filtering
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices
that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulner-
ability (for example, teardrop attacks), while other types of attacks involve generating large volumes of
traffic so that network service is denied to legitimate network users (such as pepsi attacks). These attacks
include the following:
•
ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a
host and hang or crash the system.
•
SYN Attack—Floods a system with a series of TCP SYN packets, resulting in the host issuing SYN-
ACK responses. The half open TCP connections can exhaust TCP resources, such that no other TCP
connections are accepted.
•
Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port that is listen-
ing. The machine can hang or reboot in an attempt to respond.
•
Pepsi Attack—The most common form of UDP flooding directed at harming networks. A pepsi attack
is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network
devices. This can cause network devices to use up a large amount of CPU time responding to these
packets.
•
ARP Flood Attack—Floods a switch with a large number of ARP requests, resulting in the switch
using a large amount of the CPU time to respond to these requests. If the number of ARP requests
exceeds the preset value of 500 per second, an attack is detected.
•
Invalid IP Attack—Packets with invalid source or destination IP addresses are received by the switch.
When such an Invalid-IP attack is detected, the packets are dropped, and SNMP traps are generated.
Examples of some invalid source and destination IP addresses are listed below:
Invalid Source IP address
OmniSwitch AOS Release 7 Network Configuration Guide
command to enable or disable IP-directed broadcasts. For example:
command to display the IP-directed broadcast state.
•
0.x.x.x.
•
255.255.255.255.
•
subnet broadcast, i.e. 172.28.255.255, for an
existing IP interface 172.28.0.0/16.
•
in the range 224.x.x.x - 255.255.255.254.
•
Source IP address equals one of Switch IP Inter-
face addresses.
March 2011
page 1123
Advertisement
Table of Contents
