User manual ZYXEL ZYAIR G-2000PLUS

[. . . ] ZyAIR G-2000 Plus 802. 11g Wireless 4-port Router User's Guide Version 3. 60 12/2004 ZyAIR G-2000 Plus User's Guide Copyright Copyright © 2004 by ZyXEL Communications Corporation. The contents of this publication may not be reproduced in any part or as a whole, transcribed, stored in a retrieval system, translated into any language, or transmitted in any form or by any means, electronic, mechanical, magnetic, optical, chemical, photocopying, manual, or otherwise, without the prior written permission of ZyXEL Communications Corporation. All rights reserved. Disclaimer ZyXEL does not assume any liability arising out of the application or use of any products, or software described herein. Neither does it convey any license under its patent rights nor the patent rights of others. [. . . ] Their goal is not to steal information, but to disable a device or network so users no longer have access to network resources. The ZyAIR is pre-configured to automatically detect and thwart all known DoS attacks. 14. 4. 1 Basics Computers share information over the Internet using a common language called TCP/IP. TCP/ IP, in turn, is a set of application protocols that perform specific functions. An extension number, called the "TCP port" or "UDP port" identifies these protocols, such as HTTP (Web), FTP (File Transfer Protocol), POP3 (E-mail), etc. When computers communicate on the Internet, they are using the client/server model, where the server "listens" on a specific TCP/UDP port for information requests from remote client computers on the network. Please note that while a computer may be intended for use over a single port, such as Web on port 80, other ports are also active. If the person configuring or managing the computer is not careful, a hacker could attack it over an unprotected port. Some of the most common IP ports are: Table 58 Common IP Ports 21 23 25 FTP Telnet SMTP 53 80 110 DNS HTTP POP3 Chapter 14 Firewalls 180 ZyAIR G-2000 Plus User's Guide 14. 4. 2 Types of DoS Attacks There are four types of DoS attacks: 1 Those that exploit bugs in a TCP/IP implementation. · "Ping of Death" and "Teardrop" attacks exploit bugs in the TCP/IP implementations of various computer and host systems. a Ping of Death uses a "ping" utility to create an IP packet that exceeds the maximum 65, 536 bytes of data allowed by the IP specification. Teardrop attack exploits weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet. " The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot. b · Weaknesses in the TCP/IP specification leave it open to "SYN Flood" and "LAND" attacks. These attacks are executed during the handshake that initiates a communication session between two applications. 181 Chapter 14 Firewalls ZyAIR G-2000 Plus User's Guide Figure 75 Three-Way Handshake Under normal circumstances, the application that initiates a session sends a SYN (synchronize) packet to the receiving server. The receiver sends back an ACK (acknowledgment) packet and its own SYN, and then the initiator responds with an ACK (acknowledgment). While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users. Chapter 14 Firewalls 182 ZyAIR G-2000 Plus User's Guide Figure 76 SYN Flood b In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself. · A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. [. . . ] However, PEAP only supports EAP methods, such as EAP-MD5, EAP-MSCHAPv2 and EAP-GTC (EAP-Generic Token Card), for client authentication. EAP-GTC is implemented only by Cisco. LEAP LEAP (Lightweight Extensible Authentication Protocol) is a Cisco implementation of IEEE802. 1x. For added security, certificate-based authentications (EAP-TLS, EAP-TTLS and PEAP) use dynamic keys for data encryption. They are often deployed in corporate environments, but for public deployment, a simple user name and password pair is more practical. [. . . ]