IP spoofing attacks

To access a network, an intruder generates a packet carrying a bogus source address that can make an unauthorized user access the system by applying the IP authentication even in the root authority. In this way, the system can also be destroyed even though the response packet does not reach the system. This is the IP spoofing attack.

Land attacks

Land attacks are to configure both the source address and the destination address of the TCP SYN packet to the IP address of the attack target. Thus, the target sends the SYN-ACK messages to itself and then returns the ACK messages to itself, and then creates a null connection. Each null connection is saved till it is disconnected because of timeout. Different types of attack targets respond differently to Land attacks. For example, many UNIX hosts crash and Windows NT hosts slow down.

Smurf attacks

A simple Smurf attack is to attack a network by sending an ICMP request to the broadcast address of the target network. All the hosts on the network respond to the request, which generates the traffic 10 or 100 times more than the traffic of large ping packets. Network congestion thus occurs. The advanced Smurf attack is mainly used to attack the target host by configuring the source address of the ICMP packet to the address of the target host so as to make the host crash completely.

An advanced Smurf attack is to attack a host by sending an ICMP request from the address of the target host. As a result, the host crashes. It takes certain traffic and duration to send the attack packets to perform the attacks. Theoretically, the larger the number of hosts is, the more obvious the effect will be. Another new form of the Smurf attack is the Fraggle attack.

WinNuke attacks

WinNuke attacks are to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB) data packets to the NetBIOS port (139) of the specified target installed with the Windows system so as to make the target host crash. Internet Group Management Protocol (IGMP) fragment packets also exist. Because IGMP packets cannot be fragmented generally, systems usually fail to process the IGMP fragment packets. When the system receives IGMP fragment packets, you can assume that there is an attack.

SYN flood attacks

Because of limited resources, TCP/IP stacks only permit a restricted number of TCP connections. Based on the above disadvantage, the SYN Flood attack forges an SYN packet whose source address is a bogus or non-existent address and initiates a connection to the server. Accordingly, the server will not receive the ACK packet for its SYN-ACK packet, which forms a semi-connection. A large number of semi-connections will exhaust the network resources. As a result, valid users cannot access the network until the semi-connections time out. The SYN Flood attack also takes effect in the applications in which the number of connections is not limited but exhaust the system resources such as memories.

ICMP flood attacks

ICMP flood attacks are to send a large number of ICMP messages (such as ping) to the specific server to occupy its link bandwidth. In this way, the server cannot provide services for the Internet due to overload.

UDP flood attacks

Attackers send many UDP packets to the server to occupy its link bandwidth. In this way, the server cannot provide services for the Internet properly due to overload.

IP sweeping or port scanning attacks

IP sweeping or port scanning attacks are to detect the target address and port by using scanning tools. The active system connects to the target network if it receives responses from the system and the port through which the host provides services.

Ping of death attacks

Ping of death attacks are to attack the system by using large ICMP packets. The field length of an IP packet is 16 bits, which means that the maximum length of an IP packet is 65535 bytes. Therefore, if the data length of an ICMP request packet is larger than 65507, the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) is larger than 65535, which may make some routers or systems crash, stop, or restart. This is the ping of death attack.

TCP connection flood attacks

TCP connection flood attacks are a type of DDoS attacks. Attackers send a large number of requests to the attacked server. A large number of links are generated; therefore, the attacked server cannot process the requests from legal users.

GET flood attacks

Attackers send a large number of get and post packets to the attacked server. The attacked server breaks down and cannot process the legal packets.

DNS flood attacks

DNS flood attacks are a type of DDoS attacks. Attackers send a large number of query packets to the Domain Name Server (DNS) within a short time. Therefore, the server has to respond to all the query requests. As a result, the DNS cannot provide services for legal users.

ARP attacks

Common ARP attacks include ARP spoofing attacks and ARP Flood attacks.

• ARP spoofing attacks: The attacker sends a large amount of spoofing ARP requests and response packets to attack network devices. ARP spoofing attacks mainly include ARP buffer overflow attacks and ARP DDoS attacks.
• ARP Flood attacks (ARP scanning attacks): When the attacker scans hosts in its own network segment or across network segments, the Eudemon 1000E checks the ARP entry before sending the response message. If the MAC address of the destination IP address does not exist, the ARP module of the Eudemon 1000E sends the ARP Miss message to the upper layer software, asking the upper layer software to send an ARP request message to obtain the MAC address. Massive scanning packets induce massive ARP Miss messages. As a result, the Eudemon 1000E uses a lot of its resources to handle the ARP Miss messages and thus cannot process other services properly. In this way, scanning attacks are launched.