No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Principles

Principles

This section describes the implementation of Attack defense.

Defense Against Malformed Packet Attacks

The malformed packet attack is to send malformed IP packets to the system. If such an attack occurs, the system may break down when processing the malformed IP packets. Defense against malformed packet attacks allows the device to detect malformed packets in real time and discard them to protect the device.

Malformed packet attacks are classified into the following types.

Flood Attacks From IP Null Payload Packets

An IP packet with a 20-byte IP header only is considered as an IP null payload packet. An attacker often constructs IP packets with the IP header only and without any high-layer data. When the device processes these packets, errors may occur or the device may break down.

After defense against malformed packet attacks is enabled, the device directly discards the received IP packets without payloads.

Attacks from IGMP Null Payload Packets

An IGMP packet consists of a 20-byte IP header and a 8-byte IGMP body. The device considers IGMP packets with less than 28 bytes as IGMP null payload packets. When the device processes IGMP null payload packets, errors may occur or the device may break down.

After defense against malformed packet attacks is enabled, the device directly discards the received IGMP null payload packets.

LAND Attacks

Because of defects in the three-way handshake mechanism of TCP, a LAND attacker sends SYN packets of which the source address and port of a device are the same as the destination address and port respectively. After receiving the SYN packet, the target host creates a null TCP connection with the source and destination addresses as the address of the target host. The connection is kept until expiration. The target host will create many null TCP connections, wasting many resources or causing device breakdown.

After defense against malformed packet attacks is enabled, the device checks source and destination addresses in TCP SYN packets to prevent LAND attacks. The device considers TCP SYN packets with the same source and destination addresses as malformed packets and discards them.

Smurf Attack

An attacker sends an ICMP Request packets of which the source address is the target host address and the destination address is the broadcast address of the target network. After all hosts of the target network receive the ICMP request packet, they send ICMP Reply packets to the target host. The target host receives excess packets and consumes many resources, causing device breakdown or network blocking.

After defense against malformed packet attacks is enabled, the device checks whether the destination address in ICMP Request packets is the broadcast address or subnet broadcast address to prevent Smurf attacks. When detecting the ICMP Request packets with the destination address as the broadcast address or subnet broadcast address, the device directly discards them.

Attacks from Packets with Invalid TCP Flag Bits

A TCP packet contains six flag bits: URG, ACK, PSH, RST, SYN, and FIN. Different systems respond differently to the combination of these flag bits.

  • If the six flag bits are all 1s, the attack is a Christmas tree attack. When the Christmas tree attack is launched, the device may break down.

  • If both the SYN and FIN are 1 and the interface is disabled, the receiver replies with an RST | ACK message. If the interface is enabled, the receiver replies with an SYN | ACK message. This method is used to detect the host (online or offline) and interface (enabled or disabled).

  • The six flag bits are all 0s.

    • If the interface is disabled, the receiver replies with an RST | ACK message to detect whether the host is online or offline.
    • If the interface is enabled, Linux and UNIX operating systems do not respond but the Windows operating system replies with an RST | ACK message. This helps you learn the type of the operating system (Windows, Linux, or UNIX).

After defense against malformed packet attacks is enabled, the device checks each flag bit of TCP packets to prevent attacks from packets with invalid TCP flag bits. If any of the following condition is met, the device discards the TCP packets:

  • The six flag bits are all 1s.

  • The SYN and FIN bits are all 1s.

  • The six flag bits are all 0s.

Defense Against Packet Fragment Attacks

If an attacker sends error packet fragments to attack the device, the device may consume a large number of CPU resources, restart, or even break down, affecting normal services. Defense against packet fragment attacks allows the device to detect packet fragments in real time and discard them or limit the rate of the packets to protect the device.

Attacks of packet fragments are classified into the following types.

Excess-Fragment Attacks

The offset of IP packets is in the unit of 8 bytes. Normally, an IP header has 20 bytes and the maximum payload of an IP packet is 65515 bytes. An IP packet can be fragmented into up to 8189 fragments. The device consumes many CPU resources to reassemble the packets with over 8189 fragments.

After defense against packet fragment attacks is enabled, the device considers a packet with over 8189 fragments malicious and discards all the fragments of the packet.

Excess-Offset Attacks

An attacker sends a fragment with a larger offset value to the target host. As a result, the target host allocates much memory space to store all fragments, consuming a large number of resources.

The maximum value of the offset is 65528. Generally, the offset value does not exceed 8190. If the offset value is 8189 multiplied by 8 and the IP header is 20, the last fragment can have only 3-byte IP payload. Therefore, the maximum value of the offset is 8189 in normal situations. The device considers packets with the offset value larger than 8190 malicious and directly discards them.

After defense against packet fragment attacks is enabled, the device checks whether the offset value multiplied by 8 is greater than 65528. If the offset value multiplied by 8 is greater than 65528, the device considers the fragments malicious and discards them.

Repeated Packet Fragment Attacks

An attacker sends repeated fragments to the target host multiple times:

  • The attacker sends the same fragments to the target host multiple times, causing abnormality in CPU and memory usage of the target host.

  • The attacker sends different fragments with the same offset to the target host. As a result, the target host cannot determine how to process these packet fragments and there is abnormality in CPU and memory usage of the target host.

After defense against packet fragment attacks is enabled, the device applies the rate limit to packet fragments, reserves the first fragment, and discards all the remaining repeated fragments to protect the device CPU.

Tear Drop Attack

Tear Drop attack is the frequently used IP packet fragment attack. IP packets are incorrectly fragmented and the second fragment is contained in the first one. The offset of the second fragment is smaller than the offset of the first fragment, and the offset plus the Data field of the second fragment does not exceed the the tail of the first fragment.

As shown in Figure 26-2:

  • In the first fragment, the IP payload is 36 bytes, the total length of the IP packet is 56 bytes, the protocol is UDP, and the UDP checksum is 0 (namely, unchecked).

  • In the second fragment, the IP payload is 4 bytes, the total length of the IP packet is 24 bytes, the protocol is UDP, and the offset is 24 (this is incorrectly calculated and the correct offset is 36).

Figure 26-2  Tear Drop attack

Tear Drop attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Tear Drop attacks.

Syndrop Attack

Syndrop attack is similar to Tear Drop attack. The difference is that Syndrop attacks use TCP packets with SYN flag and IP payload.

As shown in Figure 26-3:

  • In the first fragment, the IP payload is 28 bytes, and the IP header is 20 bytes.

  • In the second fragment, the IP payload is 4 bytes, the IP header is 20 bytes, and the offset is 24 (this is incorrectly calculated and the correct offset is 28).

Figure 26-3  Syndrop attack

Syndrop attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Syndrop attacks.

NewTear Attack
NewTear attack is the attack from error fragments. As shown in Figure 26-4, the used protocol is UDP.
  • The IP payload of the first fragment is 28 bytes including the UDP header. The UDP checksum is 0.

  • The IP payload of the second fragment is 4 bytes. The offset is 24, which is incorrectly calculated. The correct offset is 28.

Figure 26-4  NewTear attack

NewTear attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of NewTear attacks.

Bonk Attack
Bonk attack is the attack from error fragments. As shown in Figure 26-5, the used protocol is UDP.
  • The IP payload of the first fragment is 36 bytes including the UDP header. The UDP checksum is 0.

  • The IP payload of the second fragment is 4 bytes. The offset is 32, which is incorrectly calculated. The correct offset is 36.

Figure 26-5  Bonk attack

Bonk attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Bonk attacks.

Nesta Attack
Nesta attack is the attack from error fragments. As shown in Figure 26-6:
  • In the first fragment, the IP payload is 18 bytes, the used protocol is UDP, and the checksum is 0.

  • In the second fragment, the offset is 48 and the IP payload is 116 bytes.

  • In the third fragment, the offset is 0, the more frag is 1 (that is, there are more fragments), the IP option (all EOLs) is 40 bytes, and the IP payload is 224 bytes.

Figure 26-6  Nesta attack

Nesta attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Nesta attacks.

Rose Attack

The use protocol can be UDP or TCP.

As shown in Figure 26-7:

If Rose attacks use TCP:

  • In the first fragment, the IP payload is 48 bytes (including the TCP header) and the length of the IP header is 20 bytes.

  • In the second fragment, the IP payload is 32 bytes, the offset is 65408, and the more frag is 0 (last fragment).

If Rose attacks use UDP:

  • In the first fragment, the IP payload is 40 bytes (including the UDP header, with UDP checksum 0), and the IP header is 20 bytes.

  • In the second fragment, the IP payload is 32 bytes, the offset is 65408, and the more frag is 0 (last fragment).

Figure 26-7  Rose attack

Rose attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Rose attacks.

Fawx Attack

Fawx attack uses error fragments of IGMP packets. As shown in Figure 26-8, two fragments of an IGMP packet is sent. In the first fragment, the IP payload is 9 bytes. In the second fragment, the offset is 8, and the IP payload is 16 bytes.

Figure 26-8  Fawx attack

Fawx attacks cause system breakdown or restart. After defense against packet fragment attacks is enabled, the device discards all the fragments of Fawx attacks.

Ping of Death Attack

An attacker sends ICMP packets with the Data field longer than 65507 bytes to attack the device. If the device incorrectly processes ICMP packets with the Data field longer than 65507 bytes, the protocol stack may crash.

After defense against packet fragment attacks is enabled, the device discards ICMP packets with the Data field longer than 65507 bytes.

Jolt Attack

An attacker sends packets longer than 65535 bytes to attack the device. Jolt attack uses 173 packet fragments. The IP payload of each packet fragment is 380 bytes. The total length is 65760 (173 x 380 + 20) bytes, which is greater than 65535. If the device incorrectly processes such packets, the device may stop responding, crash, or restart.

After defense against packet fragment attacks is enabled, the device discards Jolt attack packets.

Defense Against Flood Attacks

If an attacker sends a large number of bogus packets to the target host, the target host is busy with these bogus packets and cannot process normal services.

Defense against flood attacks allows the device to detect flood packets in real time and discard them or limit the rate of the packets to protect the device.

Flood attacks include TCP SYN flood attacks, UDP flood attacks, and ICMP flood attacks.

TCP SYN Flood Attack

TCP SYN flood attack uses vulnerability of TCP three-way handshake. During TCP three-way handshake, when receiving the first SYN message from a sender, the receiver sends an SYN+ACK message. When the receiver is waiting for the final ACK packet from the sender, the connection is in half-connected mode. If the receiver does not receive the ACK packet, the receiver retransmits a SYN+ACK packet to the sender. If the receiver does not receive the ACK message from the sender after many attempts, the receiver shuts down the session and then updates the session in the memory. The period from the time to send the first SYN+ACK message to the session teardown time is about 30s.

During this period, an attacker may send thousands of SYN messages to the started interfaces and does not respond to the SYN+ACK message from the receiver. The memory of the receiver is overloaded and the receiver cannot accept any new connection requests. Then the receiver disconnects all existing connections.

After defense against TCP SYN flood attacks is enabled, the device limits the rate of TCP SYN packets so that system resources are not exhausted upon attacks.

UDP Flood Attack

If an attacker sends a large number of UDP packets to the target host, the target host is busy with these UDP packets. As a result, the target host is overloaded and cannot process normal services. UDP flood attacks are classified into two types:

  • Fraggle attack

    An attacker sends UDP packets of which the source address is the target host address, the destination address is the broadcast address of the target network, and the destination port number is port 7. If multiple hosts use UDP echo services on the broadcast network, the target host receives excess response packets. As a result, the system becomes busy.

    The device considers packets from UDP port 7 as attack packets and directly discards them.

  • UDP diagnosis port attack

    An attacker sends many packets to the UDP diagnosis port (7-echo, 13-daytime, and 19-Chargen) simultaneously, packets are flooded and network devices cannot work properly.

    The device considers packets from UDP ports 7, 13, and 19 as attack packets and directly discards them.

ICMP Flood Attack

Generally, a network administrator monitors a network and rectifies network faults with the ping tool as follows:

  • The source host sends an ICMP Echo message to the destination host.
  • When receiving the ICMP Echo message, the destination host sends an ICMP Echo Reply message to the source host.

If an attacker sends many ICMP Echo messages to the target host, the target host is busy with these Echo messages and cannot process other data packets. Therefore, normal services are affected.

The device limits the rate of packets of ICMP flood attacks to protect the CPU and ensure that the network can work properly.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 114986

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next