Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller System Reference Guide

569

53-1003099-01

10

Denial of Service Attacks Table

Refer to the following for a summary of each Denial of Service attack the firewall can filter.

Ascend

The Ascend DoS attacks are a series of attacks that target known vulnerabilities in various versions of
Ascend routers.

Broadcast/Multicast
ICMP

Broadcast or Multicast ICMP DoS attacks are a series of attacks that take advantage of ICMP behavior in
response to echo replies. These usually involve spoofing the source address of the target and sending
ICMP broadcast or multicast echo requests to the rest of the network and in the process flooding the
target machine with replies.

Chargen

The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character
generator service to create a string of characters which is then directed to the DNS service on port 53 to
disrupt DNS services.

Fraggle

The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each
broadcast address’ echo port (port 7). Each of those addresses that have port 7 open will respond to the
request generating a lot of traffic on the network. For those that do not have port 7 open they will send an
unreachable message back to the originator, further clogging the network with more traffic.

FTP Bounce

The FTP Bounce DoS attack uses a vulnerability in the FTP “PORT” command as a way to scan ports on a
target machine by using another machine in the middle.

Invalid Protocol

Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may
misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive
network topology information, call hijacking, or a DoS attack.

TCP IP TTL Zero

The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time To
Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the
network to overload.

IP Spoof

IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide
the identity of the attacker.

LAND

The LAND DoS attack sends spoofed packets containing the SYN flag to the target destination using the
target port and IP address as both the source and destination. This will either crash the target system or
result in high resource utilization slowing down all other processes.

Option Route

Enables the IP Option Route denial of service check in the firewall.

Router Advertisement

In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that
host can not provide router services, a DoS of network communications occurs as routing stops. This can
also be modified to single out a specific system, so that only that system is subject to attack (because
only that system sees the 'false' router). By providing router services from a compromised host, the
attacker can also place themselves in a man-in-the-middle situation and take control of any open channel
at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and
change open TELNET sessions).

Router Solicit

The ICMP Router Solicitation scan is used to actively find routers on a network. Of course, a hacker could
set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some
instances, however, routers may not send updates. For example, if the local network does not have other
routers, the router may be configured to not send routing information packets onto the local network.
ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the
network, and routers must respond (as defined in RFC 1122).
By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router
discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network
segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests

Smurf

The Smurf DoS Attack sends ICMP echo requests to a list of broadcast addresses in a row, and then
repeats the requests, thus flooding the network.

Snork

The Snork DoS attack uses UDP packet broadcasts to consume network and system resources.

TCP Bad Sequence

Enables a TCP Bad Sequence denial of service check in the firewall.