Allied Telesis AT-S63 User Manual
Chapter 14: Denial of Service Defenses
166
Section II: Advanced Operations
Land Attack
In this attack, an attacker sends a bogus IP packet where the source and
destination IP addresses are the same. This leaves the victim thinking that
it is sending a message to itself.
destination IP addresses are the same. This leaves the victim thinking that
it is sending a message to itself.
The most direct approach for defending against this form of attack is for
the AT-S63 Management Software to check the source and destination IP
addresses in the IP packets, searching for and discarding those with
identical source and destination addresses. However, this would require
too much processing by the switch’s CPU and would adversely impact
switch performance.
the AT-S63 Management Software to check the source and destination IP
addresses in the IP packets, searching for and discarding those with
identical source and destination addresses. However, this would require
too much processing by the switch’s CPU and would adversely impact
switch performance.
Instead, the switch examines the IP packets that are entering and leaving
your network. IP packets that are generated within your network and
contain a local IP address as the destination address are not allowed to
leave the network, and IP packets that are generated outside the network
but contain a local IP address as the source address are not allowed into
the network.
your network. IP packets that are generated within your network and
contain a local IP address as the destination address are not allowed to
leave the network, and IP packets that are generated outside the network
but contain a local IP address as the source address are not allowed into
the network.
In order for this defense mechanism to work, you need to specify an uplink
port. This is the port on the switch that is connected to a device, such as a
DSL router, that leads outside your network. You can specify only one
uplink port.
port. This is the port on the switch that is connected to a device, such as a
DSL router, that leads outside your network. You can specify only one
uplink port.
Note
You should not use this defense mechanism on a switch that is not
connected to a device that leads outside your network.
connected to a device that leads outside your network.
You also need to enter the IP address of one of your network devices as
well as a mask which the switch uses to differentiate between the network
portion and node portion of the address. The switch uses the IP address
and mask to determine which IP addresses are local to your network and
which are from outside you network.
well as a mask which the switch uses to differentiate between the network
portion and node portion of the address. The switch uses the IP address
and mask to determine which IP addresses are local to your network and
which are from outside you network.
The following is a overview of how the process works. This example
assumes that you have activated the feature on port 4, which is connected
to a device local to your network, and that you specified port 1 as the
uplink port, which is connected to the device that leads outside your
network. The steps below review what happens when an ingress IP
packet from the local device arrives on port 4:
assumes that you have activated the feature on port 4, which is connected
to a device local to your network, and that you specified port 1 as the
uplink port, which is connected to the device that leads outside your
network. The steps below review what happens when an ingress IP
packet from the local device arrives on port 4:
1. When port 4 receives an ingress IP packet with a destination MAC
address learned on uplink port 1, it examines the packet’s source IP
address.
address.