Single-packet attacks

Single-packet attacks are also known as malformed packet attacks. An attacker typically launches single-packet attacks by using the following methods:

Table 22 lists the single-packet attack types that the device can detect and prevent.

Table 22: Types of single-packet attacks

Single-packet attack

Description

ICMP redirect

An attacker sends ICMP redirect messages to modify the victim's routing table. The victim cannot forward packets correctly.

ICMP destination unreachable

An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations.

ICMP type

A receiver responds to an ICMP packet according to its type. An attacker sends forged ICMP packets of a specific type to affect the packet processing of the victim.

ICMPv6 type

A receiver responds to an ICMPv6 packet according to its type. An attacker sends forged ICMPv6 packets of specific types to affect the packet processing of the victim.

Land

An attacker sends the victim a large number of TCP SYN packets, which contain the victim's IP address as the source and destination IP addresses. This attack exhausts the half-open connection resources on the victim, and locks the victim's system.

Large ICMP packet

An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and crash the protocol stack.

Large ICMPv6 packet

An attacker sends large ICMPv6 packets to crash the victim. Large ICMPv6 packets can cause memory allocation error and crash the protocol stack.

IP options

An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets.

IP fragment

An attacker sends the victim an IP datagram with an offset smaller than 5, which causes the victim to malfunction or crash.

IP impossible packet

An attacker sends IP packets whose source IP address is the same as the destination IP address, which causes the victim to malfunction.

Tiny fragment

An attacker makes the fragment size small enough to force Layer 4 header fields into the second fragment. These fragments can pass the packet filtering because they do not hit any match.

Smurf

An attacker broadcasts an ICMP echo request to target networks. These requests contain the victim's IP address as the source IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services. Network congestion might occur.

TCP flag

An attacker sends packets with defective TCP flags to probe the operating system of the target host. Different operating systems process unconventional TCP flags differently. The target system will break down if it processes this type of packets incorrectly.

Traceroute

An attacker uses traceroute tools to probe the topology of the victim network.

WinNuke

An attacker sends Out-Of-Band (OOB) data to the TCP port 139 (NetBIOS) on the victim that runs Windows system. The malicious packets contain an illegal Urgent Pointer, which causes the victim's operating system to crash.

UDP bomb

An attacker sends a malformed UDP packet. The length value in the IP header is larger than the IP header length plus the length value in the UDP header. When the target system processes the packet, a buffer overflow can occur, which causes a system crash.

UDP Snork

An attacker sends a UDP packet with destination port 135 (the Microsoft location service) and source port 135, 7, or 19. This attack causes an NT system to exhaust its CPU.

UDP Fraggle

An attacker sends a large number of chargen packets with source UDP port 7 and destination UDP port 19 to a network. These packets use the victim's IP address as the source IP address. Replies will flood the victim, resulting in DoS.

Teardrop

An attacker sends a stream of overlapping fragments. The victim will crash when it tries to reassemble the overlapping fragments.

Ping of death

An attacker sends the victim an ICMP echo request larger than 65535 bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash.