No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Attack Defense

Attack Defense

Attack defense is an important network security function of the firewall. With this function, the firewall can detect various network attack behaviors and take measures to protect the network, ensuring normal running of the internal network and systems.

Types of Network Attacks

Network attacks are classified into three types: Denial of Service (DoS) attacks, scanning and snooping attacks, and malformed packet attacks.

  • DoS attack

    An attacker sends a large number of data packets to the target system to prevent the system from processing requests from authorized users or make the host stop responding. DoS attackers include SYN Flood attacks and Fraggle attacks.

    DoS attacks are different from other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or firewall.

  • Scanning and snooping attack

    Scanning and snooping attacks identify existing systems on a network through ping scanning (including ICMP and TCP scanning), and then find out potential targets. By scanning TCP and UDP ports, the attackers can know the operating system and the monitored services.

    Through scanning and snooping, an attacker can generally know the service type of the system and prepare for further intrusion to the system.

  • Malformed packet attack

    An attacker sends malformed IP packets to a target system. The target system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.

The following describes typical attacks on networks.

Land Attack

An attacker initiates a Land attack by setting the source and destination addresses of a TCP SYN packet to the IP address of a target host. The target host then sends a SYN-ACK message to its own IP address, and the ACK message is sent back to the target host. This forms a null session. Every null session exists until it times out. Figure 6-7 shows a Land attack.

Figure 6-7  Land attack

The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.

Smurf Attack

A simple Smurf attack is used to attack a network. The attacker sends an ICMP Echo request to the broadcast address of the network. All the hosts on the network respond to the request and the network is congested. Figure 6-8 shows a simple Smurf attack.

Figure 6-8  Simple Smurf attack

An advanced Smurf attack targets hosts. The attacker sends an ICMP Echo request packet to the network where the target host is located. The source IP address of the packet is the IP address of the target host; therefore, all ICMP Echo Reply packets are sent to the target host. This slows down packet processing on the target host or can even make the host crash. Figure 6-9 shows an advanced Smurf attack.

Figure 6-9  Advanced Smurf attack

Sending attack packets generates certain traffic and lasts for some time. Theoretically, the attack causes severe damages when there are more hosts on the network.

WinNuke Attack

Network Basic Input/Output System (NetBIOS) is a network access interface that is widely used in file sharing, print sharing, and data exchange between different operating systems. Generally, NetBIOS is a multicast-based interface and runs over the Logical Link Control Type 2 (LLC2) protocol. The common TCP/UDP ports to implement NetBIOS on the TCP/IP protocol stack:

  • 139: a TCP port used for the NetBIOS sessions.
  • 137: a UDP port used for the NetBIOS name service.
  • 136: a UDP port used for the NetBIOS datagram service.

Windows operating systems implement NetBIOS over TCP/IP and open port 139.

WinNuke attacks use the vulnerability of Windows operating systems. An attacker sends data packets carrying TCP out-of-band (OOB) packets to port 139. These attack packets differ from normal OOB packets in that the pointer field in the packets does not match the actual location of data. When the Windows operating system processes these packets, it may crash.

SYN Flood Attack

A SYN Flood attack uses the three-way handshake mechanism of the TCP protocol to attack the target host. An attacker sends a SYN packet to the target host to request for a TCP connection, but it does not respond to the SYN-ACK packet sent from the target host. If the target host does not receive the response from the attacker, it keeps waiting and forms a half connection. Figure 6-10 shows a SYN Flood attack.

Figure 6-10  Half connection

The attacker sends a lot of TCP SYN packets to make the target host set up many half connections, which occupy a large number of resources. When the resources on the target host are used up, data processing on the host slows down and authorized users cannot access the host.

The attacker can also generate a SYN packet with a pseudo or non-existent source address to attack the target host.

ICMP Flood Attack

A network administrator uses the ping program to monitor networks and locate faults. The ping process is as follows:

  1. A source host sends an ICMP Echo Request packet to a destination host.
  2. After receiving the ICMP Echo Request packet, the destination host returns an ICMP Echo Reply packet to the source host.

ICMP packets are processed by the CPU and may consume many CPU resources in some cases.

If an attacker sends a large number of ICMP Echo Request packets to a target host, the target host becomes busy processing these Echo Request packets and cannot process other data packets. Figure 6-11 shows an ICMP Flood attack.

Figure 6-11  ICMP Flood attack

UDP Flood Attack

A UDP flood attack is similar to an ICMP flood attack. An attacker sends a large number of UDP packets to a target host. The target host becomes busy processing these UDP packets and cannot process normal data packets.

IP Sweeping and Port Scanning Attack

An attacker uses a scanning tool to probe target IP addresses and ports. The targets then respond to the probes, through which the attacker can know which target systems are active and connected to the network and which ports are open or closed.

Ping of Death Attack

Ping of Death is an attack to a system by sending oversized ICMP packets.

The Length field of an IP packet is 16 bits, indicating that the maximum length of an IP packet is 65535 bytes. If the data field of an ICMP Echo Request packet is longer than 65507 bytes, the length of the ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is larger than 65535 bytes. Some systems or devices cannot process oversized ICMP packets. If they receive such packets, they may stop responding, crash, or restart. Figure 6-12 shows an oversized ICMP packet.

Figure 6-12  Oversized ICMP packet

Large-ICMP Attack

Similar to a Ping of Death attack, a Large-ICMP attack sends oversize ICMP packets to attack a system. Although the length of Large-ICMP packets does not exceed the maximum length of an IP packet (65535 bytes), the Large-ICMP packets also have great impact on some operating systems.

To prevent Large-ICMP attack, set the maximum length of ICMP packets on the firewall.

ICMP-Unreachable Attack

After receiving an ICMP network-unreachable packet (packet type field is 3 and code is 0) or host-unreachable packet (packet type is 3 and code is 1), some systems consider the subsequent packets sent to this destination unreachable. The systems then disconnect the destination from the host. Figure 6-13 shows an ICMP-Unreachable attack.

Figure 6-13  ICMP-unreachable attack

The attacker sends ICMP-Unreachable packets to the target hosts to change routes on the target hosts. In this case, packet forwarding on the hosts is abnormal.

ICMP-Redirect Attack

An ICMP-Redirect attack is similar to an ICMP-Unreachable attack.

A network device can send ICMP Redirect packets to a host in the same subnet, requesting the host to change its routes.

Similarly, an attacker sends a fake Redirect packet to the target host on another network segment, requesting the target host to modify the routing table. The attack changes routes on the target host and affects packet forwarding. Figure 6-14 shows an ICMP-Redirect attack.

Figure 6-14  ICMP-Redirect attack

IP Fragment Attack

The fields related to fragmentation of an IP packet are Don't Fragment (DF) bit, More fragments (MF) bit, Fragment Offset, and Length.

If the previous fields conflict and a device does not process the fields properly, the device may stop running or even crash. In the following cases, the fields conflict:

  • The DF bit is set, but the MF bit is also set or the fragment offset is not 0.
  • The DF bit is 0, but the sum of Fragment Offset and Length is larger than 65535.

In addition, the device must directly discard the fragment packets destined for itself because the fragment packets result in a heavy load in packet caching and reassembly.

Teardrop Attack

During packet transmission, an IP packet must be fragmented when it is longer than the maximum transmission unit (MTU) of the link layer. The IP packet header contains an offset field and an MF field. If the MF field is set to 1, the IP packet is a fragment. The offset field indicates the location of this fragment in the whole IP packet. The receiver can reassemble the IP packet based on the information carried in the IP packet header.

For example, if a large packet is transmitted over a link with a smaller MTU, the packet is fragmented into two IP packets. The receiver then reassembles the two IP packets into the original IP packet. Figure 6-15 shows the normal packet reassembling process.

Figure 6-15  Packet reassembly

If an attacker sets the offset field to an incorrect value, the receiver cannot correctly assemble packets. Some TCP/IP protocol stacks may crash when they receive a pseudo fragment containing an overlapping offset. This is a Teardrop attack. Figure 6-16 shows a Teardrop attack packet.

Figure 6-16  Teardrop attack diagram

Fraggle Attack

A Fraggle attack is similar to a Smurf attack, except that the Fraggle attack sends UDP packets but not ICMP packets. Therefore, the Fraggle attack packets can traverse some firewalls that prevent ICMP packets.

A Fraggle attack can be successful because both UDP port 7 (ECHO) and port 19 (Chargen) return responses after receiving UDP packets. The details are as follows:

  • UDP port 7 returns a response (similar to the ICMP Echo-Reply packet) after receiving a packet.
  • UDP port 19 generates a character flow after receiving the packet.

The two UDP ports send a lot of response packets, which occupy high network bandwidth.

The attacker can send a UDP packet to the target network. The source address of the UDP packet is the IP address of the attacked host and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. All the hosts with the port open on the subnet send response packets to the attacked host. This generates heavy traffic, which blocks the network or makes the host crash.

The hosts with the port closed on the subnet generate ICMP Unreachable packets, which still consume high bandwidth. If the attacker sets the source port to 19 (Chargen) and the destination port to 7 (ECHO), severer damages are caused because the response packets are generated automatically and continuously.

Tracert Attack

Tracert is to discover the packet transmission path through the ICMP timeout packets that is returned when time to live (TTL) value is 0 or through the returned ICMP port-unreachable packets.

An attack can obtain the network structure through Tracert. This brings security risks to the network.

Malformed TCP Packet Attacks

A malformed TCP packet is a packet with an incorrect 6-bit TCP header. An error will occur when the TCP protocol stack on the receiver processes the TCP packet.

Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 135397

Downloads: 244

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next