Teardrop attack – Allied Telesis AT-S63 User Manual

Page 290

Advertising
background image

Chapter 15: Denial of Service Defense

290

Section II: Advanced Operations

happens when an ingress IP packet arrives on port 4:

1. When port 4 receives an ingress IP packet with a destination MAC

address learned on uplink port 1, it examines the packet’s destination
IP addresses before forwarding the packet.

2. If the destination IP address is local to the network, port 4 does not

forward the packet to uplink port 1 because the port assumes that
there is no reason for the packet to leave the network. Instead, it
discards the packet.

3. If the destination IP address is not local to the network, port 4 forwards

the packet to uplink port 1.

Below is a review of how the process takes place when an ingress IP
packet arrives on uplink port 1 that is destined for port 4:

1. Whenever uplink port 1 receives an ingress IP packet with a

destination MAC address that was learned on port 4, it examines the
packet’s source IP address before forwarding the packet.

2. If the source IP address is local to the network, uplink port 1 does not

forward the packet to port 4 because it assumes that a packet with a
source IP address that is local to the network should not be entering
the network from outside the network.

3. If the source IP address is not local to the network, port 1 forwards the

packet to port 4.

Following are some guidelines for using this defense:

ˆ

If you choose to use it, Allied Telesyn recommends activating it on all
ports on the switch, including the uplink port.

ˆ

You can specify only one uplink port.

This form of defense is not CPU intensive. Activating it on all ports should
not affect switch behavior.

Teardrop Attack

An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
The victim is unable to reassemble the packet, possibly causing it to
freeze operations.

The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset values.

If one is found, the following occurs:

ˆ

The switch sends an SNMP trap to the management stations.

Advertising
Popular Brands
Popular manuals