Efficient Networks SpeedStream 5100 Series User Manual

SpeedStream Router User Guide

34

viruses can turn a host into a remote-controlled “zombie,” although some attacks can simply use a host’s
network stack to do the job if it is too trusting. The SpeedStream ADS monitors this behavior.

ADS Configuration Options

The SpeedStream Attack Detection System filters (i.e., discards) and/or logs the following attack attempts
from the WAN:

• Same Source and Destination Address (a.k.a. Land Attack):

This packet has a spoofed source IP address set to be the same as the destination host and can result in
the DoS or crash of the local host. When the receiving host tries to respond to the source address in
the packet, it ends up just sending it back to itself. This packet could ping-pong back and forth over
200 times (consuming CPU resources) before being discarded.

• Broadcast Source Address (a.k.a. Smurf or Fraggle Attack):

This packet has a spoofed source IP address set to the “broadcast” address. Most hosts only accept
packets destined for their own IP address, but there are a couple of special IP address called broadcast
addresses that hosts will also accept in addition to their own. The broadcast address is invalid as a
packet’s source address, however, because a packet has to come from a host. If a network stack does
respond to a packet with a broadcast source address, the response will be sent to the broadcast address
on which all of the hosts on the subnet are listening. All of the hosts that received the broadcast would
then respond back to the host flooding it with data, possibly making inaccessible to other users.

• LAN Source Address On WAN:

This packet has a spoofed source address set to be a typical trusted LAN address. One method of
separating a LAN from a WAN is through the use of NAPT. This allows the LAN to use IP addresses
that are normally not accessible by WAN hosts and, therefore, helps shield the LAN from WAN
attacks. A packet with a LAN source address coming from the WAN is attempting to masquerade as a
LAN packet so that it might be trusted by a LAN host and received.

• Invalid IP Packet Fragment (a.k.a. Ping of Death):

IP packets can be fairly large in size. If a link between two hosts transporting a packet can only
handle smaller packets, the large packet may be split (or fragmented) into smaller ones. When the
packet fragments get to the destination host, they must be reassembled into the original large packet
like pieces of a puzzle. If each stage of reassembly is not carefully checked by the receiving host’s
network stack, a specially crafted invalid fragment can cause the host to crash.

• TCP NULL Flags

:

The TCP header contains a set of “flags” that indicate information about the packet which is used by
receiving host to process it. At least one TCP flag must be set, but for a TCP NULL flags packet,
none were. This packet can cause some hosts to crash.

• TCP FIN Flag:

The TCP FIN flag should never appear in a packet by itself. This packet can cause some hosts to
crash.

• TCP Xmas Flags:

The TCP Xmas flag configuration is an invalid combination of the FIN, URG and PUSH flags. This
packet can cause some hosts to crash.