A Denial-of-service attack is a malicious attempt by one or many users to limit or completely disable the availability of a service.
There are three basic types of attacks:
- Consumption of scarce, limited, or non-renewable resources.
- Destruction or alteration of configuration information.
- Physical destruction or alteration of network components.
NetDevices SG-x provides an effective way for the users to prevent these attacks against their networks. The NetDevices system employs rate limiting and rule based filtering to prevent these attacks. The following sections describe usage guidelines for the users to configure the system to protect against these attacks.
TYPES OF NETWORK ATTACKS
The following sections give a concise overview on all the rate-limiting and nonrate-limiting attacks that can be prevented by the NetD SG-x system. The attacks are further classified into :
- Default Attacks (Rate-limiting)
- Default Attacks (Non Rate Limiting)
- Optional Attacks
The Default Attacks are the ones that are present in the default attack prevention list of the NetDevices SG-x system. This can be configured as explained in the section: To configure a default attack prevention policy.
The Optional Attacks are the ones that are not present in the default attack prevention list of the NetDevices SG-x system. These attacks too can be either manually turned on for detection or filters can be applied to block them. This can be configured as explained in the section: To configure user-defined attack prevention policy.
DEFAULT ATTACKS (RATE-LIMITING)
ICMP-DEST-UNRCH-STORM
icmp-dest-unrch-storm [threshold num:packets num:per msec]
This attack is implicitly a part of the default attack prevention list. However, if user does not want to use these default lists, he can turn on only a selected number of attacks by using their respective keywords with parameters.
ICMP-IP-ADDRESS-SWEEP
icmp-ip-address-sweep [threshold num:packets num:per msec]
An address sweep attack occurs when one source IP address sends 10 ICMP echo requests (or pings) to different hosts within a defined interval. The purpose of this scheme is to ping several hosts in the hope that one will reply, thus uncovering an address to target, resulting in system failure. This command is included in the NetD’s default attack prevention list.
ICMP-PING-FLOOD
icmp-ping-flood [threshold num:packets num:per msec]
A perpetrator sends a large amount of ICMP echo (ping) traffic at IP broadcast addresses, all of it having a spoofed source address of a victim. If the routing device delivering traffic to the broadcast addresses performs the IP broadcast to another broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each, multiplying the traffic by the number of hosts responding. To secure system from this kind of ping flooding, this command is included in the default attack prevention list.
IP-TINY-FRAG
ip-tiny-frag [max-frag-num num:packets min-frag-size num:packets]
If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter. The above keyword is also turned on by default. If user wishes to disable this, he can override this keyword and then turn it on when necessary with a specified minimum fragment size in the user-defined attack prevention list.
TCP-SYN-FLOOD
tcp-syn-flood [threshold num:packets num:per msec]
The server builds in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. Systems providing TCP-based services to the Internet community may be unable to provide services while under this attack and for some time after this attack ceases. To protect the system from this attack, this command is also included in the default attack prevention list.
UDP-PORT-LOOPBACK
udp-port-loopback [threshold num:packets num:per msec]
An UDP packet travels between two "echoing" ports. Such packets can bounce infinite number of times, using up network bandwidth and CPU. An intruder can cause problems by spoofing a packet from one machine and send it to another. The malicious intruder could generate lots of these packets in order to totally overwhelm the systems and network. This keyword is included with appropriate parameters in the default list.
DEFAULT ATTACKS (NON RATE LIMITING)
ICMP-ECHO-STORM-ATTACK
icmp-echo-storm-attack
The two main components to the smurf denial-of-service attack are the use of forged ICMP echo request packets and the direction of packets to IP broadcast addresses. In the "smurf" attack, attackers are using ICMP echo request packets directed to IP broadcast addresses from remote locations to generate denial-ofservice attacks. To avoid performance degradation, this keyword is also included in the NetD’s default attack prevention list.
ICMP-PING-OF-DEATH
icmp-ping-of-death [num:fragments] [num:max length]
The TCP/IP specification requires a specific packet size for datagram transmission. Many ping implementations allow the user to specify a larger packet size if desired. A grossly oversized ICMP packet can trigger a range of adverse system reactions such as denial of service (DoS), crashing, freezing, and rebooting. This command is included in the default attack prevention list to secure the system from this attack.
IP-LAND-ATTACK
ip-land-attack
A LAND attack consists of a stream of TCP SYN packets that have the source IP address and TCP port number set to the same value as the destination address and port number (i.e., that of the attacked host).
IP-SOURCE-ROUTING
ip-source-routing
Source routing is a technique whereby the sender of a packet can specify the route that a packet should take through the network. Attackers can use source routing to probe the network by forcing packets into specific parts of the network. Using source routing, an attacker can collect information about a networks topology, or other information that could be useful in performing an attack. During an attack, an attacker could use source routing to direct packets to bypass existing security restrictions. This command is included in the default attack protection list to secure the network from this attack.
IP-TEAR-DROP
ip-tear-drop
Teardrop attack tool attacks the vulnerability of the TCP/IP IP fragmentation reassembly codes which do not properly handle the overlapping IP fragments while LAND attack tool attacks the SYN packet which has the both source & destination ports & addresses same i.e. spoofed. This is also called as "TCP Loopback " DoS attacks.Both these attacks can crash or hang hosts.The above keyword protects the system from this attack. It is already included in the default list.
IP-ZERO-LENGTH
ip-zero-length
This kind of denial of service attack is caused when a 0-length IP fragment is received as the first fragment in the list. A series of such IP fragments of 0 length being the first in the fragment list, makes it impossible for the kernel to deallocate the destination entry and remove it from the cache, resulting in a Denial -of Service. To avoid the attack, this keyword is also placed in the default list.
TCP-FIN-SCAN
tcp-fin-scan
TCP FIN flooding. To secure system from this kind of flooding, this command also forms a part of the default list.
TCP-FIN-NOACK
tcp-fin-no-ack
TCP packets without ACK set for FIN.This leads to system crashing at times. To avoid this mishap, the above command is also present in the default DoS prevention list.
TCP-HEADER-FRAG
tcp-header-frag
In this attack, a TCP header is split into multiple frames in an attempt to bypass firewalls or intrusion detection systems. This could lead to secure information also being passed through the filter. To retain security, this command is included in the DoS prevention list.
TCP-INVALID-URGENT-OFFSET
tcp-invalid-urgent-offset
The intruder sends a TCP frame with an Urgent pointer which points past the end of the data. This may cause some TCP/IP implementations to become unstable or crash. Some TCP/IP implementations will hang when receiving many such frames. Inclusion of this command avoids such attacks.
TCP-NULL-SCAN
tcp-null-scan
TCP packets w/o any flag set. Leads to inability to scan such packets. This attack is avoided since it is also included in the default DoS prevention list.
TCP-SYN-FIN
tcp-syn-fin
These types of packets don't need session information and are handled before that. It has TCP packets with both SYN and FIN flag set, causing a denial of service. This attack is prevented by using the “default” keyword or can be inserted in the user-defined list.
TCP-XMAS-SCAN
tcp-xmas-scan
This frame should never be seen in normal TCP operation. Sometimes this is done in preparation for a future attack, or sometimes it is done to see if the system has a service which is susceptible to attack. A TCP frame has been seen with a sequence number of zero and the FIN, URG and PUSH bits all set. To avoid this attack the above command is placed in the default DoS prevention list.
UDP-SHORT-HEADER
udp-short-header
UDP short header is sent in different fragments. This attack is similar to the tcpheader-frag attack. This command is also a part of the DoS prevention list.If the “default” keyword is not used, the attack prevention can be turned on by just including the above keyword in the user defined list.
UDP-FRAGGLE-ATTACK
udp-fraggle-attack
When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast addresses, all of it having a fake source address, it causes system crash or denial of service. This command is implicitly included in the default attack prevention list to secure the system from this attack.
UDP-SNORK-ATTACK
udp-snork-attack
This is an attempt to connect two services which, if enabled, will engage in an indefinite communication with each other. This will cause many frames to be unnecessarily transmitted, and dramatically reduce the performance of the network and the systems involved. To avoid this Denial of Service overload attempt, this command is placed in the default prevention list.
OPTIONAL ATTACKS
The following four DoS attacks are not set for prevention by default. These attacks too can be either manually turned on for detection or filters can be applied to block them.
ICMP-BLOCK-TRACE-ROUTE
[icmp-block-trace-route]
This command is not a default DoS setting. The square brackets around the whole command denotes its only optional. This means that this attack is not set for protection by default in the NetD system, but the user can turn it on by explicitly adding the above keyword in the user-defined attack prevention list.
ICMP-ROUTER-ADVERTISEMENT
[icmp-router-advertisement]
Remote attackers can spoof these ICMP packets and remotely add bad defaultroute entries into a victims routing table. Since the victim's system would be forwarding the frames to the wrong address, it will be unable to reach other networks. This attack can be prevented by adding this command in the DoS prevention list.
ICMP-REDIRECT
[icmp-redirect]
This command is not a default DoS setting. The square brackets around the whole command denotes its only optional. However the above command can be included in the DoS prevention list to avoid this kind of attacks.
IP-SPOOFING
[ip-spoofing]
To gain access, intruders create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system. Current intruder activity in spoofing source IP addresses can lead to unauthorized remote root access to systems behind a filtering-router firewall. After gaining root access and taking over existing terminal and login connections, intruders can gain access to remote hosts. This command is not included in the default attack list. Can be explicitly included to secure the network from this attack.
