[Dr.WoW] [No.13] Single-Packet Attack and Defense Highlighted

Latest reply: May 20, 2015 05:51:45 4612 1 0 0

1 DoS Attack

In the previous two chapters, we have learned that the major function of a firewall is to protect a particular network from attacks of an untrusted network. In this chapter, we will learn the common single-packet, traffic-based, and application-layer attacks and the defensive measures of the firewall.

First, let's look back to the recent evolution of attacks. In the 1990s, the Internet was growing fast, and so were attacks, which had gone from labs to the Internet. However, a fox can be out-foxed. Although attack techniques are involving, so are defense measures, as shown in Figure 1-1.
Figure 1-1 Evolution of attack and defense techniques

[Dr.WoW] [No.13] Single-Packet Attack and Defense-1319561-1 

When we talk about "network attacks", we can never forget to mention denial of service (DoS) attacks. As the name suggests, the purpose of a DoS attack is to make the target computer or network unable to provide normal services.

Then what does "denial of service" really mean? Let's say there is a diner on the street providing meals, but some villains often make trouble in the diner, such as occupying dining tables, blocking the door, or harassing waiters, waitresses, or chefs so that customers cannot enjoy the flood of the diner. This is "denial of service."

The computers and servers on the Internet are like the diners and provide resources and services. Attackers can exhaust the resource of the computers and servers or the bandwidth of the links to them to launch a DoS attack.

2 Single-Packet Attack and Defense

Single-packet attack is a common DoS attack and is usually launched by individuals using simple attack packets. Such attacks may cause severe impacts, but can be easily prevented if we know the attack signature.
We divide single-packet attacks into three types, as shown in Figure 1-2.
Figure 1-2 Types of single-packet attacks

[Dr.WoW] [No.13] Single-Packet Attack and Defense-1319561-2


l   Malformed packet attack: Attackers send malformed packets. The target systems may crash if they cannot process such packets.

l   Scanning attack: To be accurate, scanning attacks are not really attacks, but reconnaissance activities for attacks.

l   Attacks using special control messages: To be accurate, such attacks are not really attacks, but reconnaissance activities for attacks. They use special control messages to probe network structures.

Preventing single-packet attacks is a basic function of firewalls. All Huawei firewalls support this function. Now let's see how Huawei firewalls prevent typical single-packet attacks.

2.1 Ping of Death Attack and Defense

The length field of an IP packet has 16 bits, which means that the maximum length of this IP packet is 65535 bytes. Some old versions of operating systems have restrictions on packet size. If a packet is larger than 65535 bytes, memory allocation error occurs, and the receiving system crashes. The ping of death attack is launched by sending packets larger than 65535 bytes to target hosts to crash them.

To prevent such attacks, the firewall checks the size of packets. If a packet is larger than 65535 bytes, the firewall considers it an attack packet and discards it.

2.2 LAND Attack and Defense

In a local area network denial (LAND) attack, the attacker sends spoofed TCP packets with the target host's IP address as both the source and destination. This causes the victim to reply to itself continuously to exhaust its system resources.

To prevent LAND attacks, firewalls check the source and destination addresses of TCP packets and discard the packets if the source and destination addresses are the same or the source addresses are loopback addresses.

2.3 IP Scanning

An attacker uses ICMP packets (such as ping or Tracert commands) or TCP/UDP packets to initiate connections to certain IP addresses to check whether the targets reply. In this way, the attacker can determine whether these hosts are live on the network.

IP scanning does not have direct impacts, but is a reconnaissance method that gathers information for later attacks. However, firewalls will not ignore IP scanning.

Firewalls inspect TCP, UDP, and ICMP packets. If the destination address of a packet sent from a source address is different from that of the previous packet, the exception count will increase by 1. When the exception count reaches the predefined threshold, the firewalls consider that the source IP address is performing an IP scanning. Then, the firewalls blacklist the source IP address and discard subsequent packets from the source.

From these single-packet attacks and the defense mechanisms, we can see that single-packet attacks demonstrate noticeable signatures. Therefore, we can prevent these attacks as long as we identify their signatures.

2.4 Recommended Configurations for Preventing Single-Packet Attacks

Firewalls have a lot of defense functions to prevent single-packet attacks. However, in real networks, which functions should be enabled and which should not? This question must have been bugging us for a long time. To tackle this, some recommended configurations are provided as follows:

As shown in Figure 1-3, the recommended configurations allow firewalls to prevent single-packet attacks without compromising performance in real-world networks. The scanning attack defense functions are resource-intensive. Therefore, you are advised to enable these functions only when scanning attacks occur.
Figure 1-3 Recommended configurations for preventing single-packet attacks

[Dr.WoW] [No.13] Single-Packet Attack and Defense-1319561-3 

Table 1-1 lists the commands to enable defense functions on USG9500 V300R001, for example, to prevent common single-packet attacks.

Table 1-1 Commands for enabling defense functions against single-packet attacks



Enable Smurf attack defense.

firewall defend smurf enable

Enable LAND attack defense.

firewall defend land enable

Enable Fraggle attack defense.

firewall defend fraggle enable

Enable WinNuke attack defense.

firewall defend winnuke enable

Enable ping of death attack defense.

firewall defend ping-of-death enable

Enable defense against attacks launched through IP packets with the timestamp option set.

firewall defend time-stamp enable

Enable defense against attacks launched through IP packets with the record route option set.

firewall defend route-record enable



Actually, single-packet attacks are only a small fraction of network attacks. The most common and troublesome network attacks are traffic-based attacks (such as SYN and UDP floods) and application-layer (such as HTTP and DNS floods) attacks, which will be described in the following sections.




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created May 20, 2015 05:51:45 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits