Allied Telesis AT-S63 User Manual
Chapter 14: Denial of Service Defenses
168
Section II: Advanced Operations
Teardrop Attack
An attacker sends an IP packet in several fragments with a bogus offset
value, used to reconstruct the packet, in one of the fragments to a victim.
Because of the bogus offset value, the victim is unable to reassemble the
packet, possibly causing it to freeze operations.
value, used to reconstruct the packet, in one of the fragments to a victim.
Because of the bogus offset value, the victim is unable to reassemble the
packet, possibly causing it to freeze operations.
The defense mechanism for this type of attack has all ingress fragmented
IP traffic received on a port sent to the switch’s CPU. The CPU samples
related, consecutive fragments, checking for fragments with invalid offset
values.
IP traffic received on a port sent to the switch’s CPU. The CPU samples
related, consecutive fragments, checking for fragments with invalid offset
values.
If one is found, the following occurs:
The switch sends an SNMP trap to the management stations.
The switch port is blocked for one minute.
Because the CPU only samples the ingress IP traffic, this defense
mechanism may not catch all occurrences of this form of attack.
mechanism may not catch all occurrences of this form of attack.
Caution
This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations if the CPU
becomes overwhelmed with IP traffic. To prevent this, Allied Telesis
recommends activating this defense on only the uplink port and one
other switch port at a time.
Unrestricted use can cause a switch to halt operations if the CPU
becomes overwhelmed with IP traffic. To prevent this, Allied Telesis
recommends activating this defense on only the uplink port and one
other switch port at a time.