Ip options attack, Mirroring traffic, Ip options attack mirroring traffic – Allied Telesis AT-S63 User Manual
Page 374
Chapter 17: Denial of Service Defense
374
Section II: Advanced Operations
Also note that an attacker can circumvent the defense by sending a
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits.
A large number of requests could overwhelm the switch’s CPU.
IP Options
Attack
In the basic scenario of an IP attack, an attacker sends packets containing
bad IP options. There are several types of IP option attacks and the
AT-S63 management software does not distinguish between them.
Rather, the defense mechanism counts the number of ingress IP packets
containing IP options received on a port. If the number exceeds 20
packets per second, the switch considers this a possible IP options attack
and the following occurs:
It sends an SNMP trap to the management stations.
The switch port is blocked for one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Note
This defense does not actually check IP packets for bad IP options,
and so can only alert you to a possible attack.
Mirroring Traffic
The Land, Teardrop, Ping of Death, and IP Options defense mechanisms
allow you to copy the examined traffic to a mirror port for further analysis
with a data sniffer or analyzer. This feature differs slightly from port
mirroring in that prior to an actual violation of a defense mechanism, only
the packets examined by a defense mechanism, rather than all packets,
are mirrored to the destination port. Should a violation occur, then all
ingress packets on the port where the violation occurred are mirrored.
As an example, activating the mirroring feature in conjunction with the
Teardrop defense on a port sends all examined ingress fragmented IP
traffic to the destination mirror port. If the switch detects a violation, all
ingress packets on the port are copied to the mirror port during the 60
seconds that the port is blocked.
Implementing this feature requires configuring the port mirroring feature as
follows:
Activate port mirroring.
Specify a destination port.
Do not specify any source ports. The source ports are defined by the
Denial of Service defense mechanism.
For instructions, refer to “Creating a Port Mirror” on page 187.