Configuring packet inspection, Overview – H3C Technologies H3C SecPath F1000-E User Manual

6

Configuring packet inspection

The packet inspection configuration is available only in the Web interface.

Overview

A single-packet attack, or malformed packet attack, occurs when either of the following events occurs:

•

An attacker sends defective IP packets, such as overlapping IP fragments and packets with illegal
TCP flags, to a target system, making the target system malfunction or crash when processing such

packets.

•

An attacker sends large quantities of junk packets to the network, using up the network bandwidth.

With packet inspection configured, the firewall analyzes the characteristics of received packets to

determine whether the packets are attack packets. Upon detecting an attack, the firewall logs the event

and, when configured, discards the attack packets.
The firewall supports detection of the following types of single packet attacks.

Table 3 Types of single packet attacks

Attack type

Description

Fraggle

A Fraggle attack occurs when an attacker sends large amounts of UDP echo requests with
the UDP port number being 7 or Chargen packets with the UDP port number being 19,

resulting in a large quantity of junk replies and finally exhausting the bandwidth of the target
network.

Land

A Land attack occurs when an attacker sends a great number of TCP SYN packets with both
the source and destination IP addresses being the IP address of the target, exhausting the

half-open resources of the victim and disabling the target from providing services correctly.

WinNuke

A WinNuke attacker sends out-of-band (OOB) data with the pointer field values overlapped
to the NetBIOS port (139) of a Windows system with an established connection to introduce

a NetBIOS fragment overlap, causing the system to crash.

TCP Flag

Some TCP flags are processed differently on different operating systems. A TCP flag attacker
sends TCP packets with such TCP flags to a target to probe its operating system. If the
operating system cannot process such packets properly, the attacker will successfully make

the host crash down.

ICMP
unreachable

Upon receiving an ICMP unreachable response, some systems conclude that the destination
is unreachable and drop all subsequent packets destined for the destination. By sending

ICMP unreachable packets, an ICMP unreachable attacker can cut off the connection
between the target host and the network.

ICMP redirect

An ICMP redirect attacker sends ICMP redirect messages to a target to modify its routing

table, interfering with the normal forwarding of IP packets.

Tracert

The Tracert program usually sends UDP packets with a large destination port number and an
increasing TTL (starting from 1). The TTL of a packet is decreased by 1 when the packet
passes each router. Upon receiving a packet with a TTL of 0, a router must send an ICMP

time exceeded message back to the source IP address of the packet. A Tracert attacker

exploits the Tracert program to figure out the network topology.