By default, Ally appliances are configured to stop ACK floods and prevent SYN floods from getting to any computer protected by the Ally appliance. SYN requests arrive first, and the Ally responds in place of the destination server with a Tag-UR-IT marked SYN/ACK and then waits for the responding ACK. Only ACK responses that contain the matching Tag-UR-IT mark are permitted beyond the appliance. Therefore, false ACK traffic is dropped. In this fashion, SYN floods are reflected by the Ally appliance, which merely marks the packets, rather than keeping track of state (session) information. State information is recovered from the ACK packet, which contains the Tag-UR-IT mark.
IP Fragments
Due to physical differences between various networking hardware, IP packets may be broken into various fragments when routed on the Internet. Endpoint devices rarely have the requirement to support fragmented packet reassembly. Originally, fragments were defined within the standard to be held by the destination device and put together once the rest of the transmission arrived. This method of reassembling fragments at the destination device has been exploited by numerous network attacks. With today’s robust networking gear, the only fragmented traffic that is typically seen is intentional fragmentation by attackers trying to sneak exploits past signature-based detection devices.
Unknown Packet Types
By default, ‘unknown’ packet types are not discarded by the Ally. Enabling the dropping of these packets prevents unknown packet types from entering your network. However, these types include legacy protocols and services such as IPX/SPX (Novell netware) and native Microsoft NetBios (unless it’s encapsulated within TCP/IP).
DNS Cache Poisoning
DNS cache poisoning can be prevented by the Ally appliance. This feature prevents false DNS resolution replies from entering your network.
DNS Tunneling
The use of the DNS protocol for anything other than DNS resolutions can be prevented by the Ally. As an example, a user could set up a system to use DNS for web surfing unless this feature is enabled.
The default Ally configuration has DNS protection disabled to simplify the product installation. Once you have confirmed the appliance is working properly in the default configuration enable the DNS protections.
Information Leakage
Previously transmitted data is often used by network cards to fill in non-required fields or to increase packet sizes to meet the required minimum frame size of various protocols. For instance, Ethernet packets must be at least 64 bytes in length. Packets that are shorter than this required minimum are padded with a previous transmission’s data to create a 64 byte packet length. Therefore, confidential information on the inside of your LAN that has been accessed correctly, and without encryption, can be sent out to the Internet on the next DNS resolution request, as one example. The Ally changes the content of all bytes beyond the exact size required, or within non-required fields, in order to prevent data leakage.
Network Reconnaissance:
IP Address Discovery;
TCP Port Discovery;
UDP Port Discovery;
OS Fingerprinting
A critical part of an attacker’s network reconnaissance is to determine what addresses, ports, operating systems and firewall devices are used in your network. The Ally prevents address discovery, port discovery, bounce-scanning and other types of network recons by default.
IP Spoofing
Attackers frequently change their packets to show a different IP address than the one they are actually using. For connection-oriented sessions, such as HTTP and TCP/IP, the Ally appliance prevents any connection into the network unless the original source IP address remains unchanged throughout the session. For example, only ACK responses that match the originator’s IP address from the initial SYN request are allowed into the network.
Resource Flooding & Denial of Service (DoS)
The Ally protects against DoS and its variants along with illegitimate large amounts of traffic intended to overload a system to an extent it is unable to respond to legitimate traffic. Examples of DoS and other resource floods that are thwarted by the Ally IP1000 are: SYN; SYN/ACK; ACK; RESET; 3-way connection ‘hogs’ (handshake takes place, but no data sent); Invalid TCP packets; and Open Idle Connections.
Session Hijacking:
Initial Sequence Number (ISN) Guessing;
IPID Guessing
Session hijacking involves brute force methods to attempt to match an existing ISN, IPID, and other fields within the IP and TCP header. By default, the Ally IP1000 hardens, encrypts and randomizes many of the IP and TCP fields to prevent session hijacking. Windows XP nodes sitting behind a typical firewall have a 12% likelihood of being hijacked. With an Ally appliance in place, this likelihood drops to a 0.00001% chance of success.
Worm Mitigation
Worms typically propagate by scanning for the next target victim. The Ally security appliance detects these scans and blacklists the offending node and drops any further traffic from that node. Therefore, worm propagation is stopped from coming into your network by default.
