Ping of death attack, Ip options attack, Ping of death attack ip options attack – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section II: Advanced Operations

291

ˆ

The switch port discards the fragment with the invalid offset and, for a
one minute period, discards all ingress fragmented IP traffic.

Because the CPU only samples the ingress IP traffic, this defense
mechanism may catch some, though not necessarily all, of this form of
attack.

Caution

This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations if the CPU
becomes overwhelmed with IP traffic. To prevent this, Allied Telesyn
recommends activating this defense on only the uplink port and one
other switch port at a time.

Ping of Death

Attack

The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.

To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is, the
fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:

ˆ

The switch sends an SNMP trap to the management stations.

ˆ

The switch port discards the fragment and, for one minute, discards all
fragmented ingress ICMP Echo (Ping) requests.

Note

This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This does not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesyn
recommends limiting the use of this defense, activating it only on
those ports where an attack is most likely to originate.

Also note that an attacker can circumvent the defense by sending a
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits.
A large number of requests could overwhelm the switch’s CPU.

IP Options

Attack

In the basic scenario of an IP attack, an attacker sends packets containing
bad IP options. There are several types of IP option attacks and the
AT-S63 management software does not distinguish between them.

Rather, the defense mechanism counts the number of ingress IP packets