Teardrop attack – Allied Telesis AT-S63 User Manual

Page 662

Advertising
background image

Chapter 31: Denial of Service Defense

662

Section IV: Security

Following is a simplified overview of how the process takes place. This
example assumes that you have activated the feature on port 4 and that
you have specified port 1 as the uplink port. The steps below review
what happens when an ingress IP packet arrives on port 4:

1. When port 4 receives an ingress IP packet with a destination MAC

address learned on uplink port 1, it examines the packet’s destination
IP addresses before forwarding the packet.

2. If the destination IP address is local to the network, port 4 does not

forward the packet to uplink port 1 because the port assumes that
there is no reason for the packet to leave the network. Instead, it
discards the packet.

3. If the destination IP address is not local to the network, port 4

forwards the packet to uplink port 1.

Below is a review of how the process takes place when an ingress IP
packet arrives on uplink port 1 that is destined for port 4:

1. Whenever uplink port 1 receives an ingress IP packet with a

destination MAC address that was learned on port 4, it examines the
packet’s source IP address before forwarding the packet.

2. If the source IP address is local to the network, uplink port 1 does not

forward the packet to port 4 because it assumes that a packet with a
source IP address that is local to the network should not be entering
the network from outside the network.

3. If the source IP address is not local to the network, port 1 forwards the

packet to port 4.

Following are some guidelines for using this defense:

❑ If you choose to use it, Allied Telesyn recommends activating it on

all ports on the switch, including the uplink port.

❑ You can specify only one uplink port.

This form of defense is not CPU intensive. Activating it on all ports
should not affect switch behavior.

Teardrop Attack

An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
The victim is unable to reassemble the packet, possibly causing it to
freeze operations.

The defense mechanism for this type of attack has all ingress IP traffic
received on a port sent to the switch’s CPU. The CPU samples related,
consecutive fragments, checking for fragments with invalid offset
values.

Advertising
Popular Brands
Popular manuals