ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaub_5.4.0.1/rzaubeventattack.htm

105 lines
6.7 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Attack events" />
<meta name="abstract" content="The intrusion detection system detects different types of attack events and writes an IM audit record in the QAUDJRN audit journal." />
<meta name="description" content="The intrusion detection system detects different types of attack events and writes an IM audit record in the QAUDJRN audit journal." />
<meta name="DC.Relation" scheme="URI" content="rzaubanalyze.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzaubeventattack" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Attack events</title>
</head>
<body id="rzaubeventattack"><a name="rzaubeventattack"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Attack events</h1>
<div><p><span>The intrusion detection system detects different
types of attack events and writes an IM audit record in the QAUDJRN audit
journal.</span></p>
<div class="section"><div class="p">The intrusion detection system detects the following
types of attack events:<ul><li>Malformed packets</li>
<li>Denial of service floods</li>
<li>ICMP redirect messages</li>
<li>Perpetual echo on UDP ports</li>
<li>IP fragments</li>
<li>Restricted IP options and protocols</li>
<li>Fragmented packets</li>
</ul>
</div>
<p>The number of audit records that the system generates
depends on the value of the maximum event message in the IDS policy.</p>
</div>
<div class="section" id="rzaubeventattack__malformed"><a name="rzaubeventattack__malformed"><!-- --></a><h4 class="sectiontitle">Malformed packet events</h4><p>A malformed
packet is built in such a way as to cause a system to crash or hang when it
is processed. <span>When the IDS policy detects a malformed packet,
it writes an audit record. The TCP/IP stack deletes the malformed packets.</span></p>
</div>
<div class="section" id="rzaubeventattack__fragment"><a name="rzaubeventattack__fragment"><!-- --></a><h4 class="sectiontitle">Fragment restriction events</h4><p>An
invalid fragment overlays IP or transport headers in an attempt to bypass
firewall checks. On the iSeries™ system, it is not possible to overlay an
IP header. The TCP/IP stack checks to ensure that the first fragment of a
fragmented datagram is a minimum of 576 bytes. The stack also checks that
each fragment beyond the first one has an offset of greater than 256 bytes. </p>
<p>The IDS policy audits invalid IP fragments.</p>
</div>
<div class="section" id="rzaubeventattack__ipoptionrestrict"><a name="rzaubeventattack__ipoptionrestrict"><!-- --></a><h4 class="sectiontitle">IP option restrictions</h4><p>The
IP options field in a datagram is a variable-length list of optional information.
Some of the IP Options, such as Loose Source Route, can be used in network
attacks. You can use the IDS policy to restrict which IP options that an inbound
packet can contain. For example, you can specify whether an inbound packet
with a restricted IP option <span>be ignored or audited</span>.
You also can generate statistics on the number of inbound packets with restricted
IP options. </p>
</div>
<div class="section" id="rzaubeventattack__ipprotocol"><a name="rzaubeventattack__ipprotocol"><!-- --></a><h4 class="sectiontitle">IP protocol restrictions</h4><p>The IP
protocol field is an 8-bit field in the IP header. Undefined IP protocols
are sometimes used to establish back door attacks on the network. You can
use the IDS policy to restrict which IP protocols that an inbound packet can
contain. The policy can specify whether an inbound packet with a restricted
IP protocol be audited. You also can generate statistics on the number of
inbound packets with restricted IP protocols.</p>
</div>
<div class="section" id="rzaubeventattack__synflood"><a name="rzaubeventattack__synflood"><!-- --></a><h4 class="sectiontitle">SYN flood events</h4><p>TCP SYN flood events
create a large number of half-open sockets. These flood events fill up the
socket connection backlog for a given application and deny valid connections
from being accepted. A SYN flood event spoofs the source IP address with the
address of an unreachable system. The IDS policy flags SYN flood events and
writes an audit record.</p>
</div>
<div class="section" id="rzaubeventattack__icmp"><a name="rzaubeventattack__icmp"><!-- --></a><h4 class="sectiontitle">ICMP redirect events</h4><p>You
can use Internet Control Message Protocol (ICMP) redirect messages to override
intended network routes. You can specify the IGNOREREDIRECT option in the
IDS policy file to either ignore or process ICMP redirect messages.</p>
</div>
<div class="section" id="rzaubeventattack__echo"><a name="rzaubeventattack__echo"><!-- --></a><h4 class="sectiontitle">Perpetual echo on UDP ports</h4><p>You
can use port 7, which is called the <dfn class="term">echo port</dfn>, to test a UDP
connection. (Both the source port and target port are set to port 7, which
causes each port to echo back what it gets.) Whatever data is sent through
UDP is echoed back. A perpetual echo is an attack on UDP port 7. The TCP/IP
stack detects the event if the source port is equal to the target port. If
there is an IDS policy for attack-type events, the system writes an audit
record whenever it detects a perpetual echo attack on the UDP port. </p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubanalyze.htm" title="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.">Analyze the auditing data</a></div>
</div>
</div>
</body>
</html>