Background, Types of attack – Efficient Networks 5100 Series User Manual

SpeedStream Router User Guide

Packets with spoofed source addresses are commonly sent to smaller hosts, not with the intent of
bringing down a particular computer, but rather to take down a large host through a mechanism called
Distributed Denial of Service (DDoS). In this situation, when a huge number of computers are used to
request services, those services are rendered unavailable because of the traffic load.

•

The Attack Detection System generates a log entry for a particular type of attack once per minute.
Consequently, there will be multiple entries for long-term attacks. This lets the user know the period of
time that the attack persisted.

Background

TCP/IP (Transmission Control Protocol/Internet Protocol) is the “language” computers that make up the
Internet (called hosts) use to talk to each other. TCP and IP dictate the meaning of two sets of tags (or
headers) that are added to user data before being sent. An IP header contains a destination address and a
source address that tell all of the hosts delivering the data where it is supposed to go, much like an
envelope for an inter-office memo. A TCP header is similar to a subject line on the memo: it contains
information that allows the recipient to quickly figure out what the data is and where it goes once the IP
“envelope” has been removed. The combination of a block of data and its associated TCP and IP headers
is often referred to as a packet.

The part of a host that writes and reads the TCP and IP headers is called a network stack. Almost all
network stacks have flaws in them (some more than others!) due to intolerance to improper or invalid
headers. This can result in a variety of problems from computer crashes to security breaches. While newer
protocols attempt to address these issues (e.g., IPSec), the current version of IP, called IPv4, will be here
to stay for some time, flaws and all. This is where the SpeedStream Attack Detection System (ADS)
comes in.

Types of Attack

The two most common attack types are unauthorized access and Denial of Service (DoS). Someone
guessing your login password is one example of unauthorized access; unfortunately, an external device
like the SpeedStream router is unable to do much to prevent that except perhaps have a firewall rule that
limits which hosts may log in. The SpeedStream ADS, however, can block attempts by external (WAN)
hosts to “impersonate” a LAN host in order to gain access to weakly protected data services on other
LAN connected computers.

DoS attacks take several forms, but the basic intended effect is the same: to prevent a host from accessing
other hosts, or preventing other hosts from accessing it. In effect, this kicks the host off the Internet. One
type of DoS attack sends more data to a host than its connection can handle. Little can be done about this
attack without having the Internet service provider block it upstream.

Another type of DoS attack attempts to crash the host by sending bad data to its network stack. The
SpeedStream ADS as described below can filter several popular incarnations of this attack. One way in
which the bad data is created is by spoofing, or modifying, the source address in the IP header. Normally,
when a host sends a packet to another host, it puts its address in the IP header so the other host knows
where it came from.

While most small users will never be on the receiving end of a direct DoS attack, a new twist to the DoS
does quite often take advantage of broadband-connected Internet hosts. Instead of attempting to generate

74