Teardrop attack, Ping of death attack, Teardrop attack ping of death attack – Allied Telesis AT-S63 User Manual
Page 375
AT-S63 Management Software Menus Interface User’s Guide
Section II: Advanced Operations
375
Teardrop Attack
An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
The victim is unable to reassemble the packet, possibly causing it to
freeze operations.
The defense mechanism for this type of attack has all ingress fragmented
IP traffic received on a port sent to the switch’s CPU. The CPU samples
related, consecutive fragments, checking for fragments with invalid offset
values.
If one is found, the following occurs:
The switch sends an SNMP trap to the management stations.
The switch port is blocked for one minute.
Because the CPU only samples the ingress IP traffic, this defense
mechanism may catch some, though not necessarily all occurrences of
this form of attack.
Caution
This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations if the CPU
becomes overwhelmed with IP traffic. To prevent this, Allied Telesyn
recommends activating this defense on only the uplink port and one
other switch port at a time.
Ping of Death
Attack
The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.
To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is, the
fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:
The switch sends an SNMP trap to the management stations.
The switch port is blocked for one minute.
Note
This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This does not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesyn
recommends limiting the use of this defense, activating it only on
those ports where an attack is most likely to originate.