Single-packet attacks
Single-packet attacks are also known as malformed packet attacks. An attacker typically launches single-packet attacks by using the following methods:
An attacker sends defective packets to a device, which causes the device to malfunction or crash.
An attacker sends normal packets to a device, which interrupts connections or probes network topologies.
An attacker sends a large number of forged packets to a target device, which consumes network bandwidth and causes denial of service (DoS).
Table 31 lists the single-packet attack types that the device can detect and prevent.
Table 31: Types of single-packet attacks
Single-packet attack | Description |
|---|---|
ICMP redirect | An attacker sends ICMP redirect messages to modify the victim's routing table. The victim cannot forward packets correctly. |
ICMP destination unreachable | An attacker sends ICMP destination unreachable messages to cut off the connections between the victim and its destinations. |
ICMP type | A receiver responds to an ICMP packet according to its type. An attacker sends forged ICMP packets of a specific type to affect the packet processing of the victim. |
ICMPv6 type | A receiver responds to an ICMPv6 packet according to its type. An attacker sends forged ICMPv6 packets of specific types to affect the packet processing of the victim. |
Land | An attacker sends the victim a large number of TCP SYN packets, which contain the victim's IP address as the source and destination IP addresses. This attack exhausts the half-open connection resources on the victim, and locks the victim's system. |
Large ICMP packet | An attacker sends large ICMP packets to crash the victim. Large ICMP packets can cause memory allocation error and crash the protocol stack. |
Large ICMPv6 packet | An attacker sends large ICMPv6 packets to crash the victim. Large ICMPv6 packets can cause memory allocation error and crash the protocol stack. |
IP options | An attacker sends IP datagrams in which the IP options are abnormal. This attack intends to probe the network topology. The target system will break down if it is incapable of processing error packets. |
IP fragment | An attacker sends the victim an IP datagram with an offset smaller than 5, which causes the victim to malfunction or crash. |
IP impossible packet | An attacker sends IP packets whose source IP address is the same as the destination IP address, which causes the victim to malfunction. |
Tiny fragment | An attacker makes the fragment size small enough to force Layer 4 header fields into the second fragment. These fragments can pass the packet filtering because they do not hit any match. |
Smurf | An attacker broadcasts an ICMP echo request to target networks. These requests contain the victim's IP address as the source IP address. Every receiver on the target networks will send an ICMP echo reply to the victim. The victim will be flooded with replies, and will be unable to provide services. Network congestion might occur. |
TCP flag | An attacker sends packets with defective TCP flags to probe the operating system of the target host. Different operating systems process unconventional TCP flags differently. The target system will break down if it processes this type of packets incorrectly. |
Traceroute | An attacker uses traceroute tools to probe the topology of the victim network. |
WinNuke | An attacker sends Out-Of-Band (OOB) data to the TCP port 139 (NetBIOS) on the victim that runs Windows system. The malicious packets contain an illegal Urgent Pointer, which causes the victim's operating system to crash. |
UDP bomb | An attacker sends a malformed UDP packet. The length value in the IP header is larger than the IP header length plus the length value in the UDP header. When the target system processes the packet, a buffer overflow can occur, which causes a system crash. |
UDP Snork | An attacker sends a UDP packet with destination port 135 (the Microsoft location service) and source port 135, 7, or 19. This attack causes an NT system to exhaust its CPU. |
UDP Fraggle | An attacker sends a large number of packets with source UDP port 7 and destination UDP port 19 (UDP chargen port) to a network. These packets use the victim's IP address as the source IP address. Replies will flood the victim, resulting in DoS. |
Teardrop | An attacker sends a stream of overlapping fragments. The victim will crash when it tries to reassemble the overlapping fragments. |
Ping of death | An attacker sends the victim an ICMP echo request larger than 65535 bytes that violates the IP protocol. When the victim reassembles the packet, a buffer overflow can occur, which causes a system crash. |