BigIron RX Series Configuration Guide 98353-1001810-01Chapter34Protecting Against Denial of Service AttacksIn this chapter• Protecting against Smurf attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983• Protecting against TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985• Displaying statistics due DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988• Clear DoS attack statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 988In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normaloperation. The BigIron RX includes measures for defending against two types of DoS attacks,Smurf attacks and TCP SYN attacks.Protecting against Smurf attacksA Smurf attack is a kind of DoS attack where an attacker causes a victim to be flooded with ICMPecho (Ping) replies sent from another network. Figure 127 illustrates how a Smurf attack works.FIGURE 127 How a Smurf attack floods a victim with ICMP repliesThe attacker sends an ICMP echo request packet to the broadcast address of an intermediarynetwork. The ICMP echo request packet contains the spoofed address of a victim network as itssource. When the ICMP echo request reaches the intermediary network, it is converted to a Layer 2broadcast and sent to the hosts on the intermediary network. The hosts on the intermediarynetwork then send ICMP replies to the victim network.213AttackerIntermediaryVictimAttacker sends ICMP echo requests tobroadcast address on Intermediary’snetwork, spoofing Victim’s IP addressas the sourceIf Intermediary has directed broadcastforwarding enabled, ICPM echo requestsare broadcast to hosts on Intermediary’snetworkThe hosts on Intermediary’s networksend replies to Victim, inundating Victimwith ICPM packets