A malformed packet attack occurs when malformed IP packets are sent to a target system, causing the system to work abnormally or break down. With the capability of defending against such attacks, a device can detect and discard malformed packets in real time.
Malformed packet attacks are classified into the following types.
An IP null payload packet has only a 20-byte IP header, but does not have a data field. When a target system is processing such an IP packet, the system may work abnormally or crash.
After defense against malformed packet attacks is enabled, a device directly discards such packets.
An IGMP packet consists of a 20-byte IP header and an 8-byte IGMP body. An IGMP null payload packet consists of less than 28 bytes. When a network device processes IGMP null payload packets, errors may occur or the device may break down.
After defense against malformed packet attacks is enabled, the device directly discards the received IGMP null payload packets.
By utilizing the defects in the three-way handshake mechanism of TCP, a Local Area Network Denial (LAND) attacker sends an SYN packet in which the source and destination addresses are the same as the target host's address and the source port is the same as the destination port. After receiving the SYN packet, the target host creates a null TCP connection by using its own address as both the source and destination addresses. The connection is kept until expiration. The target host will create many null TCP connections after receiving a large number of such SYN packets, leading to a waste of network resources or even system breakdown.
After defense against malformed packet attacks is enabled, the device checks source and destination addresses in TCP SYN packets. The device considers TCP SYN packets with the same source and destination addresses as malformed packets and discards them.
An attacker sends an ICMP Request packet of which the source address is the target host's address and the destination address is the broadcast address of the target network. After all hosts on the target network receive the ICMP Request packet, they send ICMP Reply packets to the target host. The target host receives an excessive number of packets, which consume many resources, leading to a system or network breakdown.
After defense against malformed packet attacks is enabled, the device checks whether the destination addresses in ICMP Request packets are the broadcast or subnet broadcast addresses. When detecting that the destination addresses of ICMP Request packets are the broadcast addresses or subnet broadcast addresses, the device discards them.
A TCP packet contains six flag bits: URG, ACK, PSH, RST, SYN, and FIN. Different systems respond differently to the combination of these flag bits.
If the six flag bits are all 1s, the attack is a Christmas tree attack. A device undergoing a Christmas tree attack may break down.
An attacker sends a TCP packet in which the SYN and FIN are 1 to a target host. If the receiving port is disabled, the receiver replies with an RST | ACK message. If the receiving interface is enabled, the receiver replies with an SYN | ACK message. This attack is used to detect whether a host is online or offline and whether an interface is enabled or disabled.
An attacker sends a TCP packet in which the six flag bits are all 0s. If the receiving interface is disabled, the receiver replies with an RST | ACK message to detect whether the host is online or offline. If the receiving interface is enabled, Linux and UNIX operating systems do not respond but the Windows operating system replies with an RST | ACK message. This attack is used to detect the type of operating system (Windows, Linux, or UNIX) on the target host.
After defense against malformed packet attacks is enabled, the device checks each flag bit in TCP packets to prevent attacks from packets with invalid TCP flag bits. If any of the following conditions is met, the device discards the TCP packets:
The six flag bits are all 1s.
The SYN and FIN bits are all 1s.
The six flag bits are all 0s.