Alcatel-Lucent 6600 Switch User Manual


 
IP Configuration Configuring IP
page 14-14 OmniSwitch 6600 Family Network Configuration Guide April 2006
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1’s in the host portion of the destina-
tion IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service “smurf” attacks. In a smurf attack, a continu-
ous stream of ping requests is sent from a falsified source address to a directed broadcast address, result-
ing in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts should not be enabled.
Use the ip directed-broadcast command to enable or disable IP-directed broadcasts. For example:
-> ip directed-broadcast off
Use the show ip config command to display the IP directed-broadcast state.
Denial of Service (DoS) Filtering
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices
that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulner-
ability (for example, teardrop attacks), while other types of these types of attacks involve generating large
volumes of traffic so that network service will be denied to legitimate network users (such as pepsi
attacks). Examples of these attacks include the following:
ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a
host and hang or crash the system.
SYN Attack—Floods a system with a series of TCP SYN packets, resulting in the host issuing SYN-
ACK responses. The half open TCP connections can exhaust TCP resources, such that no other TCP
connections are accepted.
Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port that is listen-
ing. The machine may hang or reboot in an attempt to respond.
Teardrop/Bonk/Boink attacks—Bonk/boink/teardrop attacks generate IP fragments in a special way to
exploit IP stack vulnerabilities. If the fragments overlap the way those attacks generate packets, an
attack is recorded. Since teardrop, bonk and boink all use the same IP fragmentation mechanism to
attack, these is no distinction between detection of these attacks. The old IP fragments in the fragmen-
tation queue is also reaped once the reassemble queue goes above certain size.
Pepsi Attack—The most common form of UDP flooding directed at harming networks. A pepsi attack
is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network
devices. This can cause network devices to use up a large amount of CPU time responding to these
packets.
The switch can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to
open or closed ports. Monitoring is done in the following manner:
Packet penalty values set. TCP and UDP packets destined for open or closed ports are assigned a
penalty value. Each time a packet of this type is received, its assigned penalty value is added to a
running total. This total is cumulative and includes all TCP and UDP packets destined for open or
closed ports.
Port scan penalty value threshold.The switch is given a port scan penalty value threshold. This
number is the maximum value the running penalty total can achieve before triggering an SNMP trap.
Decay value. A decay value is set. The running penalty total is divided by the decay value every
minute.