Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Table of Contents
Overview
This post addresses the Sophos Firewall concerning listed attack types.
Smurf
ICMP broadcast-based attack (Large number of ICMP packets)
- SFOS is not vulnerable to Smurf attacks. By default, Linux ignores broadcasted ICMPs.
- SFOS can protect vulnerable systems from Smurf attacks via DoS settings.
Teardrop
Overlapping IP fragments
- SFOS is not vulnerable to Teardrop attacks. By default, Linux handles overlapping IP fragments gracefully.
- SFOS can protect vulnerable systems from Teardrop attacks. SFOS never sends fragmented packets received from one endpoint to another; instead, it joins the received fragments. Then forwards either the whole packet or newly created fragment when required (e.g. handles small MTUs)
LAND and WinNuke
LAND - Uses the same source IP or port as the destination service to cause a loop.
WinNuke - Uses TCP urgent pointer for Windows services (e.g NetBIOS) to cause a DoS.
- SFOS protects against these attacks by identifying and dropping these anomalous packets.
- Ensure that the console setting "set advanced-firewall strict-policy on" is configured.
- This console setting is configured via the SFOS Device Console (option 4.)
- More info:
Horizontal Line, Table of Contents
[edited by: emmosophos at 1:19 AM (GMT -8) on 22 Nov 2023]