Smurf attack, Land attack, Smurf attack land attack – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

661

SMURF Attack

This DoS attack is instigated by an attacker sending a ICMP Echo (Ping)
request containing a broadcast address as the destination address and
the address of the victim as the source of the ICMP Echo (Ping) request.
This overwhelms the victim with a large number of ICMP Echo (Ping)
replies from the other network nodes.

A switch port defends against this form of attack by examining the
destination addresses of ingress ICMP Echo (Ping) request packets and
discarding those that contain a broadcast address as a destination
address.

Implementing this defense requires that you provide an IP address of a
node on your network and a subnet mask. The switch uses the two to
determine the broadcast address of your network.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without having it negatively
impact switch performance.

Land Attack

In this attack, an attacker sends a bogus IP packet where the source and
destination IP addresses are the same. This leaves the victim thinking
that it is sending a message to itself.

The most direct approach for defending against this form of attack is for
the AT-S63 management software to check the source and destination
IP addresses in the IP packets, searching for and discarding those with
identical source and destination addresses. But this requires too much
processing by the switch’s CPU, and would adversely impact switch
performance.

Instead, the switch examines the IP packets that are entering or leaving
your network. IP packets generated within your network and containing
a local IP address as the destination address are not allowed to leave the
network, but IP packets generated outside the network but containing a
local IP address as the source address are not allowed into the network.

In order for this defense mechanism to work, you need to specify an
uplink port. This is the port on the switch that is connected to the device,
such as a DSL router, that leads outside your network. You can specify
only one uplink port.

The switch uses the uplink port to gauge whether packets generated
outside your network should be allowed to enter, and whether packets
generated within your network should be allowed to leave.

Note

If none of the ports on a switch are connected to a device that leads
outside your network, you should not use this defense mechanism.