LANCOM Reference Manual LCOS 3.50 ̈ Chapter 8: Firewall
162
Firewall
8.5 Protection against “Denial of Service” attacks
Attacks from the Internet can be break-in attempts, as well as attacks aiming
to block the accessibility and functionality of individual services. Therefore a
LANCOM is equipped with appropriate protective mechanisms, which recog-
nize well-known hacker attacks and which guarantee functionality.
8.5.1 Examples of Denial of Service attacks
Denial of service attacks do profit from fundamental weaknesses of TCP/IP
protocols, as well as from incorrect implementations of TCP/IP protocol stacks.
Attacks, which profit from fundamental weaknesses are e.g. SYN Flood and
Smurf. Attacks aiming at incorrect implementations are all attacks, which
operate with incorrectly fragmented packets (e.g. Teardrop), or which work
with falsified sender addresses (e. g. Land). In the following some of these
attacks are described, their effects and possible countermeasures.
SYN Flooding
SYN Flooding means that the aggressor sends in short distances TCP packets
with set SYN flag and with constantly changing source ports on open ports of
its victim. The attacked computer establishes as a result a TCP connection,
replies to the aggressor a packet with set SYN and ACK flags and waits now
in vain for the confirmation of the connection establishment. Hundreds of
"half-open" TCP connections are staying thereby, and just consume resources
(e.g. memory) of the attacked computer. This procedure can go that far that
the victim can accept no more TCP connection or crashes due to the lack of
memory.
An appropriate countermeasure of a Firewall is to supervise the number of
"half-open" TCP connections, which exists between two stations and to limit
it. That means, if further TCP connections between these workstations were
established, these connections would be blocked by the Firewall.
Smurf
The Smurf attack works in two stages and paralyzes two networks at once. In
the first step a Ping (ICMP echo Request) packet with a falsified sender
address is sent to the broadcast address of the first network, whereupon all
workstations in this network answer with an ICMP echo Reply to the falsified
sender address, which is located in the second network. If the rate of incom-
ing echo requests is high enough, as well as the number of answering work-
stations, then the entire incoming traffic of the second network is blocked