1. Home
    2. /
  2. Manuals
    3. /
  3. Allied-Telesis
    4. /
  4. AT-iMG624A
    5. /
  5. 74
Page 366 / 998 Scroll up to view Page 361 - 365
Security
Intrusion Detection Settings
iMG/RG Software Reference Manual (IPNetwork Functions)
4-64
4.2.4.2 How Port Scanning works - Configuring Port Scanning
The device detects an attempted port scan if it receives more than 5 scanning packets (e.g., SYN/ ACK, FIN or
RST packets) per second from a single host. To modify this default threshold:
security set IDS scanthreshold <max>
The device counts the maximum number of scan packets allowed per second over a 60 second period. To mod-
ify this default duration
security set IDS scanperiod <duration>
If the number of scanning packets counted within the specified duration is greater than the scan threshold set,
the suspected attacker is blocked for 86400 seconds (24 hours). To modify this default duration, enter:
security set IDS SCANattackblock <duration>
Echo scan, Xmas Tree scan, IMAP scan on the contrary are blocked using the MaliciousAttack attribute. Block
duration default is set to 30 minutes, to change it:
security set IDS MaliciousAttackBlock <duration>
4.2.4.3 Denial of Service (DoS) Attacks
There are two main types of DoS attack:
Flood attacks
- an attacker tries to overload your device by flooding it with packets. Whilst your device tries
to cope with this sudden influx of packets, it causes delays to the transport of legitimate packets or prevents
the network from transporting legitimate traffic altogether.
Logic
or
software attacks
- a small number of corrupt packets are designed to exploit known software bugs
on the target system.
Back Orifice scan
Back Orifice and Back Orifice 2k are Trojan Horse
attacks for Win-
dows 95/98/NT. Once installed on the victim’s PC, the attacker com-
monly listens on UDP ports 31337, 31338 (Back Orifice) and 54320,
54321 (Back Orifice 2k). The attacker can then remotely perform illicit
activities.
SubSeven attack
SubSeven and SubSeven 2.1 are Trojan Horse
attacks for Windows
platforms. Once installed on the victim’s PC, the attacker uses TCP
ports 1243, 6711, 6712, 6713 (SubSeven) and 27374 (SubSeven 2.1) to
remotely perform illicit activities
Scan Attack
Description
Page 367 / 998
Intrusion Detection Settings
Security
4-65
iMG/RG Software Reference Manual (IPNetwork Functions)
The Security module can detect the early stages of the following DoS attacks:
Dos Attack
Description
SMURF Attack
Attacker sends pings (Echo Requests) to a host with a destination IP
address of broadcast (protocol 1, type 8). The broadcast address
has a spoofed return address which is the address of the intended
victim, and the replies cause the system to crash
SYN/FIN/RST Flood
Attackers send unreachable source addresses in SYN packets, so
your device sends SYN/ACK packets to the unreachable address,
but does not receive any ACK packets in return. This causes a back-
log of half-opened sessions.
ICMP Flood
The attacker floods the network with ICMP packets that are not
Echo requests, stealing bandwidth needed for legitimate services.
The device detects an attempted ICMP flood if it receives more than
100 ICMP packets per second from a single host
Ping Flood
The attacker floods the network with pings, using bandwidth
needed for legitimate services. The device detects an attempted
ping flood if it receives more than 15 pings per second from a single
host
Ascend Kill
The attacker sends a UDP packet containing special data to port 9
(the discard port), causing your Ascend router to reboot and possi-
bly crash continuously
WinNuke Attack
The attacker sends invalid TCP packets which disable networking on
many Microsoft Windows 95 and Windows NT machines. Bad data
is sent to an established connection with a Windows user. NetBIOS
(TCP port 139) is often used
Echo Chargen
A chargen attack exploits character generator (chargen) service
(UDP port 19). Sessions that appear to come from the local sys-
tem’s Echo service are spoofed and pointed at the chargen service
to create an endless loop of high volume traffic that will slow your
network down
Echo Storm
Attackers send oversized ICMP datagrams to your device using ping
in an attempt to crash, freeze or cause a reboot. The device detects
an attempted Echo Storm attack if it receives more than 15 ICMP
datagrams per second from a single host.
Boink
An attacker sends fragmented TCP packets that are too big to be
reassembled on arrival, causing Microsoft Windows 95 and Win-
dows NT machines to crash.
Page 368 / 998
Security
Intrusion Detection Settings
iMG/RG Software Reference Manual (IPNetwork Functions)
4-66
For each DoS attack there are different IDS settings, summarized in the the table below:
Land Attack
This attack targets Microsoft Windows machines. An attacker sends
a forged packet with the same source and destination IP address
which confuses the victim’s machine, causing it to crash or reboot.
Ping of Death
It is possible to crash, reboot or otherwise kill a large number of
systems by sending a ping of a certain size from a remote machine.
A ping is defined as a ping of death when the ping payload exceeds
65535 bytes.
Overdrop
This attack uses incorrect IP packet fragmentation to exploit vulner-
abilities in networked devices. Fragmented IP packets are sent and
the fragment information indicates that the packet length is over
65535 bytes (including IP header), but the actual data in the payload
is much less than this amount.
Dos Attack
Related Detection settings
Block duration setting / (Default)
SMURF
Attack
security enable IDS victimprotec-
tion
security set IDS victimprotection
<duration> /(10 min)
SYN/FIN/RST
Flood
security set IDS floodthreshold
<max>
security set IDS portfloodthresh-
old <max>
security set IDS floodperiod
<duration>
security set IDS MaxTCPopen-
handshake <max>
security set IDS DOSattackblock
<duration> / (30 min)
ICMP Flood
security set IDS MaxICMP <max>
security set IDS DOSattackblock
<duration> / (30 min)
Ping Flood
security set IDS MaxPING
<max>
security set IDS DOSattackblock
<duration> / (30 min)
Ascend Kill
N/A
security set IDS MaliciousAttackBlock
<duration>
/ (30 min
WinNuke
Attack
N/A
security set IDS MaliciousAttackBlock
<duration>
/ (30 min
Dos Attack
Description
Page 369 / 998
Management stations - Remote Management
Security
4-67
iMG/RG Software Reference Manual (IPNetwork Functions)
4.2.4.4 IDS Trojan Database
Trojan attacks are detected by scanning for packets on pre-defined Trojan attack ports, using a pre-defined
Database includes commonly attacked Trojan Ports.
To enter a new Trojan name in the IDS Trojan Database
security IDS add trojan <trojan name>
Once you have added a Trojan name to the database, you may need to identify the attack port that might be
used by that Trojan. Use the following command to add a port to the IDS Trojan Database against the Trojan
name specified in the previous command:
security IDS add trojanport <trojan name> <ident> <udp|tcp> <port>
In order to start scanning you must enable the Trojan with the following CLI command:
security IDS enable trojan <trojan name>
4.2.5
Management stations - Remote Management
A management station is a host or range of hosts that can remotely access your device from the public Internet
for a certain period of time. Once your device has been configured to allow remote access, the management
station sends IP traffic on a specific transport/port to the device’s external port. Any NAT or Firewall configura-
tion is bypassed. This allows a network administrator access to the device’s configuration without having to visit
the site
Note:
It is important for ISPs to configure management stations as precisely as possible to reduce the chance
of malicious access.
Echo
Chargen
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Echo Storm
security set IDS MaxPING
<max>
security set IDS DOSattackblock
<duration> / (30 min)
Boink
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Land Attack
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Ping of Death
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Overdrop
N/A
security set IDS DOSattackblock
<duration> / (30 min)
Dos Attack
Related Detection settings
Block duration setting / (Default)
Page 370 / 998
Security
Security logging
iMG/RG Software Reference Manual (IPNetwork Functions)
4-68
The exact IP address (or range of addresses) for the management station device(s) must be defined in the fol-
lowing command:
security add mgmt-station <name> {range <start_addr> <end_addr> |
subnet <address> <mask>} <transport_type> <port> <idle_timeout>
Once you have configured a management station and want to enable a remote session to the device’s external
port, enter:
security set mgmt-station <name> enabled
4.2.6
Security logging
Note:
Security logging is
avalaible on FIber D,E Modular and ADSL A,B,C models only
Configuring the security logging module allows you to track:
intrusion events;
logs details of attempted DoS, port scanning and web spoofing attacks including the name of
the attack, the port number used and the source/destination IP addresses.
blocking events
; if an intrusion has been detected, this logs details of the blocked/blacklisted host including
their IP address and the length of time they will be blocked/blacklisted for.
session events
; logs details of session activity when a session is timed-out when it finishes naturally and is
removed from the session list.
Before you can log intrusion, blocking and session events, enable the logging module by entering:
security enable logging
4.2.7
Security command reference
This section describes the commands available on the AT-iMG Models to enable, configure and manage the
Security
module.
4.2.7.1 Command Set
The table below lists the
security
commands provided by the CLI.
TABLE 4-2
Security Commands and Product Category
Commands
Fiber
A
Fiber
B
Fiber
C
Fiber
D
Fiber
E
Modular
ADSL
A
ADSL
B
ADSL
C
SECURITY ENABLE | DISABLE
X
X
X
X
X
X
X
X
X
SECURITY ENABLE | DISABLE {LOGGING|blockinglog|
intrusionlog| sessionlog}
X
X
X
X
X
X

Rate

4 / 5 based on 3 votes.

Popular Allied-Telesis Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top