Alcatel-Lucent 6850-48 Network Guide
Configuring IP
IP Configuration
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 24-23
IP-Directed Broadcasts
An IP directed broadcast is an IP datagram that has all zeroes or all 1 in the host portion of the destination
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service “smurf” attacks. In a smurf attack, a continu-
ous stream of ping requests is sent from a falsified source address to a directed broadcast address, result-
ing in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts should not be enabled.
IP address. The packet is sent to the broadcast address of a subnet to which the sender is not directly
attached. Directed broadcasts are used in denial-of-service “smurf” attacks. In a smurf attack, a continu-
ous stream of ping requests is sent from a falsified source address to a directed broadcast address, result-
ing in a large stream of replies, which can overload the host of the source address. By default, the switch
drops directed broadcasts. Typically, directed broadcasts should not be enabled.
Use the
-> ip directed-broadcast off
Use the
Denial of Service (DoS) Filtering
By default, the switch filters denial of service (DoS) attacks, which are security attacks aimed at devices
that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulner-
ability (for example, teardrop attacks), while other types of attacks involve generating large volumes of
traffic so that network service will be denied to legitimate network users (such as pepsi attacks). These
attacks include the following:
that are available on a private network or the Internet. Some of these attacks aim at system bugs or vulner-
ability (for example, teardrop attacks), while other types of attacks involve generating large volumes of
traffic so that network service will be denied to legitimate network users (such as pepsi attacks). These
attacks include the following:
• ICMP Ping of Death—Ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a
host and hang or crash the system.
• SYN Attack—Floods a system with a series of TCP SYN packets, resulting in the host issuing SYN-
ACK responses. The half open TCP connections can exhaust TCP resources, such that no other TCP
connections are accepted.
connections are accepted.
• Land Attack—Spoofed packets are sent with the SYN flag set to a host on any open port that is listen-
ing. The machine may hang or reboot in an attempt to respond.
• Teardrop/Bonk/Boink Attacks—Bonk/boink/teardrop attacks generate IP fragments in a special way to
exploit IP stack vulnerabilities. If the fragments overlap the way those attacks generate packets, an
attack is recorded. Since teardrop, bonk, and boink all use the same IP fragmentation mechanism to
attack, these is no distinction between detection of these attacks. The old IP fragments in the fragmen-
tation queue is also reaped once the reassemble queue goes above certain size.
attack is recorded. Since teardrop, bonk, and boink all use the same IP fragmentation mechanism to
attack, these is no distinction between detection of these attacks. The old IP fragments in the fragmen-
tation queue is also reaped once the reassemble queue goes above certain size.
• Pepsi Attack—The most common form of UDP flooding directed at harming networks. A pepsi attack
is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network
devices. This can cause network devices to use up a large amount of CPU time responding to these
packets.
devices. This can cause network devices to use up a large amount of CPU time responding to these
packets.
• ARP Flood Attack—Floods a switch with a large number of ARP requests, resulting in the switch
using a large amount of the CPU time to respond to these requests. If the number of ARP requests
exceeds the preset value of 500 per second, an attack is detected.
exceeds the preset value of 500 per second, an attack is detected.