Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Hi All,
This post addresses the Sophos Firewall in relation to listed attack types.
Smurf
ICMP broadcast-based attack (Large number of ICMP packets)
- SFOS is not vulnerable to Smurf attacks. By default, Linux ignores broadcasted ICMPs.
- SFOS can protect vulnerable systems from Smurf attacks via DoS settings.
Teardrop
Overlapping IP fragments
- SFOS is not vulnerable to Teardrop attacks. By default, Linux handles overlapping IP fragments gracefully.
- SFOS can protect vulnerable systems from Teardrop attacks. SFOS never sends fragmented packets received from one endpoint to another, instead it joins the fragments that are received. Then forwards either the whole packet or newly created fragment when required (e.g. handles small MTUs)
LAND and WinNuke
LAND - Uses the same source IP or port as the destination service to cause a loop.
WinNuke - Uses TCP urgent pointer for windows services (e.g NetBIOS) to cause a DoS.
- SFOS protects against these attacks by identifying and dropping these anomalous packets.
- Ensure that the console setting "set advanced-firewall strict-policy on" is configured
- This console setting is configured via the SFOS Device Console (option 4.)
- More info:
Regards,
Updated Disclaimer
[edited by: Erick Jan at 9:54 AM (GMT -7) on 17 Apr 2023]