ip

dos

Identifies IP events as DoS events

ascend

Optional. Detects ASCEND DoS attacks

Ascend DoS attacks target known vulnerabilities in various versions of Ascend routers. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.

broadcast-multicast-icmp

Optional. Detects broadcast or multicast ICMP Dos attacks

Broadcast or multicast ICMP DoS attacks take advantage of ICMP behavior in response to echo replies. These attacks spoof the source address of the target and send ICMP broadcast or multicast echo requests to the rest of the network, flooding the target machine with replies.

chargen

Optional. Detects Chargen attacks

The chargen (Character Generation Protocol) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.

The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services.

fraggle

Optional. Detects Fraggle DoS attacks

The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address' echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic.

ftp-bounce

Optional. Detects FTP bounce attacks

A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.

invalid-protocol

Optional. Enables a check for an invalid protocol number

Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack.

ip-ttl-zero

Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)

The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a TTL (Time to Live) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload.

ipsproof

Optional. Enables a check for the IP spoofing DoS attack

IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker.

land

Optional. Detects LAND DoS attacks

A LAND (Local Area Network Denial) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device's IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.

option-route

Optional. Enables an IP Option Record Route DoS check

router-advt

Optional. Detects router-advertisement attacks

This attack uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions).

router-solicit

Optional. Detects router solicitation attacks

The ICMP router solicitation scan is used to actively find routers on a network. A hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network.

ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122). (For more information about the process of ICMP router solicitation, see "Routing Sequences for ICMP.")

By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests.

smurf

Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.

snork

Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU's resources. This attack uses a UDP packet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.

tcp-bad-sequence

Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TPC connection.

tcp-fin-scan

Optional. Detects TCP FIN scan attacks

Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting.

If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply.

tcp-intercept

Optional. Prevents TCP intercept attacks by using TCP SYN cookies

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.

Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing email, using FTP service, and so on.

The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP SYN (synchronization ) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests.

When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.

tcp-null-scan

Optional. Detects TCP NULL scan attacks

Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings.

If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

tcp-post-syn

Optional. Detects TCP post SYN DoS attacks

A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS.

tcp-sequence-past- window

Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.

tcp-xmas-scan

Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports

tcphdrfrag

Optional. A DoS attack where the TCP header spans IP fragments

twinge

Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system

udp-short-hdr

Optional. Enables the identification of truncated UDP headers and UDP header length fields

winnuke

Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT.

The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and results in high CPU utilization on the target machine.

log-and-drop

Logs the event and drops the packet

log-only

Logs the event only, the packet is not dropped

log-level

Configures the log level

<0-7>

Sets the numeric logging level

emergencies

Numerical severity 0. System is unusable

alerts

Numerical severity 1. Indicates a condition where immediate action is required

critical

Numerical severity 2. Indicates a critical condition

errors

Numerical severity 3. Indicates an error condition

warnings

Numerical severity 4. Indicates a warning condition

notification

Numerical severity 5. Indicates a normal but significant condition

informational

Numerical severity 6. Indicates a informational condition

debugging

Numerical severity 7. Debugging messages

dos

Identifies IP events as DoS events

ascend

Optional. Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash.

broacast-multicast-icmp

Optional. Detects broadcast or multicast ICMP packets as an attack

chargen

Optional. The chargen (Character Generation Protocol) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.

fraggle

Optional. A Fraggle DoS attack checks for UDP packets to or from port 7 or 19

ftp-bounce

Optional. A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client.

invalid-protocol

Optional. Enables a check for invalid protocol number

ip-ttl-zero

Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)

ipsproof

Optional. Enables a check for IP spoofing DoS attack

land

Optional. A LAND (Local Area Network Denial) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target device's IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously.

option-route

Optional. Enables an IP Option Record Route DoS check

router-advt

Optional. This is an attack, where a default route entry is added remotely to a device. This route entry is given preference, and thereby exposes an attack vector.

router-solicit

Optional. Router solicitation messages are sent to locate routers as a form of network scanning. This information can then be used to attack a device.

smurf

Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies.

snork

Optional. This attack causes a remote Windows™ NT to consume 100% of the CPU's resources. This attack uses a UDP packet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack.

tcp-bad-sequence

Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TPC connection

tcp-fin-scan

Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.

tcp-intercept

Optional. Prevents TCP intercept attacks by using TCP SYN cookies

tcp-null-scan

Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports

tcp-post-syn

Optional. Enables a TCP post SYN DoS attack

tcp-sequence-past- window

Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.

tcp-xmas-scan

Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports.

tcphdrfrag

Optional. A DoS attack where the TCP header spans IP fragments

twinge

Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system

udp-short-hdr

Optional. Enables the identification of truncated UDP headers and UDP header length fields

winnuke

Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to crash with a blue screen

drop-only

Optional. Drops a packet without logging

dos

Identifies IP events as DoS events

tcp-max-incomplete

Sets the limits for the maximum number of incomplete TCP connections

high

Sets the upper limit for the maximum number of incomplete TCP connections

low

Sets the lower limit for the maximum number of incomplete TCP connections

<1-1000>

Sets the range limit from 1 - 1000 connections

tcp

Identifies and configures TCP events and configuration items

adjust-mss

Adjusts the TCP MSS. Use this option to adjust the MSS for TCP segments on the router.

<472-1460>

Sets the TCP MSS value from 472 - 1460 bytes. The default is 472 bytes.

tcp

Identifies and configures TCP events and configuration items

optimize-unnecessary- resends

Enables the validation of unnecessary TCP packets

recreate-flow-on-out-of-state-sync

Allows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and TCP_CLOSED_STATE states and create a new flow

validate-icpm- unreachable

Enables the validation of the sequence number in ICMP unreachable error packets, which abort an established TCP flow

validate-rst-ack-number

Enables the validation of the acknowledgment number in RST packets, which abort a TCP flow

validate-rst-seq-number

Enables the validation of the sequence number in RST packets, which abort an established TCP flow

Resets firewall policy IP components