McAfee firewall 4.0 Manual De Usuario
Product Guide
45
McAfee Firewall’s Intrusion Detection System
Common attacks recognized by IDS
The following table lists attacks recognized by McAfee Firewall’s IDS, a
description of each attack, and the risk factor assigned to each attack.
description of each attack, and the risk factor assigned to each attack.
Attack
Description
Risk
Factor
1234
Also known as the Flushot attack, an attacker sends an oversize ping
packet that networking software can not handle. Usually, computers hang
or slow down. If a total lockup occurs, unsaved data may be lost.
packet that networking software can not handle. Usually, computers hang
or slow down. If a total lockup occurs, unsaved data may be lost.
Medium
Back Orifice
Back Orifice is a back door program for Windows 9x written by a group
calling themselves the Cult of the Dead Cow. This back door allows
remote access to the machine once installed, allowing the installer to run
commands, get screen shots, modify the registry, and perform other
operations. Client programs to access Back Orifice are available for
Windows and UNIX.
calling themselves the Cult of the Dead Cow. This back door allows
remote access to the machine once installed, allowing the installer to run
commands, get screen shots, modify the registry, and perform other
operations. Client programs to access Back Orifice are available for
Windows and UNIX.
High
Bonk
Designed to exploit an implementation error in the first Teardrop patch
released by Microsoft, this attack is basically a Windows-specific variant of
the original Teardrop attack.
released by Microsoft, this attack is basically a Windows-specific variant of
the original Teardrop attack.
High
Fraggle
This attack is a UDP variant of the Smurf attack. By sending a forged UDP
packet to a particular port on a broadcast address, systems on the
“amplifier” network will respond to the target machine with either a UDP
response or an ICMP UNREACHABLE packet. This flood of incoming
packets results in a denial of service attack against the target machine.
packet to a particular port on a broadcast address, systems on the
“amplifier” network will respond to the target machine with either a UDP
response or an ICMP UNREACHABLE packet. This flood of incoming
packets results in a denial of service attack against the target machine.
High
IP Spoofing
IP spoofing involves sending data with a falsified return IP address. There
is nothing inherently dangerous about spoofing a source IP address, but
this technique can be used in conjunction with others to carry out attacks
TCP session hijacking, or to obscure the source of denial of service
attacks (SYN flood, PING flood, etc.).
is nothing inherently dangerous about spoofing a source IP address, but
this technique can be used in conjunction with others to carry out attacks
TCP session hijacking, or to obscure the source of denial of service
attacks (SYN flood, PING flood, etc.).
Medium
Jolt
A remote denial of service attack using specially crafted ICMP packet
fragments. May cause slowdowns or crashes on target systems.
fragments. May cause slowdowns or crashes on target systems.
High
Jolt 2
A remote Denial of Service (DoS) attack similar to Jolt that uses specially
crafted ICMP or UDP packet fragments. May cause slowdowns or crashes
on target systems.
crafted ICMP or UDP packet fragments. May cause slowdowns or crashes
on target systems.
High
Land
This attack is performed by sending a TCP packet to a running service on
the target host, with a source address of the same host. The TCP packet
is a SYN packet, used to establish a new connection, and is sent from the
same TCP source port as the destination port. When accepted by the
target host, this packet causes a loop within the operating system,
essentially locking up the system.
the target host, with a source address of the same host. The TCP packet
is a SYN packet, used to establish a new connection, and is sent from the
same TCP source port as the destination port. When accepted by the
target host, this packet causes a loop within the operating system,
essentially locking up the system.
High
Nestea
This attack relies on an error in calculating sizes during packet fragment
reassembly. In the reassembly routine of vulnerable systems, there was a
failure to account for the length of the IP header field. By sending carefully
crafted packets to a vulnerable system, it is possible to crash the target.
reassembly. In the reassembly routine of vulnerable systems, there was a
failure to account for the length of the IP header field. By sending carefully
crafted packets to a vulnerable system, it is possible to crash the target.
High