105 lines
6.7 KiB
HTML
105 lines
6.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="reference" />
|
||
|
<meta name="DC.Title" content="Attack events" />
|
||
|
<meta name="abstract" content="The intrusion detection system detects different types of attack events and writes an IM audit record in the QAUDJRN audit journal." />
|
||
|
<meta name="description" content="The intrusion detection system detects different types of attack events and writes an IM audit record in the QAUDJRN audit journal." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaubanalyze.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaubeventattack" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Attack events</title>
|
||
|
</head>
|
||
|
<body id="rzaubeventattack"><a name="rzaubeventattack"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Attack events</h1>
|
||
|
<div><p><span>The intrusion detection system detects different
|
||
|
types of attack events and writes an IM audit record in the QAUDJRN audit
|
||
|
journal.</span></p>
|
||
|
<div class="section"><div class="p">The intrusion detection system detects the following
|
||
|
types of attack events:<ul><li>Malformed packets</li>
|
||
|
<li>Denial of service floods</li>
|
||
|
<li>ICMP redirect messages</li>
|
||
|
<li>Perpetual echo on UDP ports</li>
|
||
|
<li>IP fragments</li>
|
||
|
<li>Restricted IP options and protocols</li>
|
||
|
<li>Fragmented packets</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<p>The number of audit records that the system generates
|
||
|
depends on the value of the maximum event message in the IDS policy.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__malformed"><a name="rzaubeventattack__malformed"><!-- --></a><h4 class="sectiontitle">Malformed packet events</h4><p>A malformed
|
||
|
packet is built in such a way as to cause a system to crash or hang when it
|
||
|
is processed. <span>When the IDS policy detects a malformed packet,
|
||
|
it writes an audit record. The TCP/IP stack deletes the malformed packets.</span></p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__fragment"><a name="rzaubeventattack__fragment"><!-- --></a><h4 class="sectiontitle">Fragment restriction events</h4><p>An
|
||
|
invalid fragment overlays IP or transport headers in an attempt to bypass
|
||
|
firewall checks. On the iSeries™ system, it is not possible to overlay an
|
||
|
IP header. The TCP/IP stack checks to ensure that the first fragment of a
|
||
|
fragmented datagram is a minimum of 576 bytes. The stack also checks that
|
||
|
each fragment beyond the first one has an offset of greater than 256 bytes. </p>
|
||
|
<p>The IDS policy audits invalid IP fragments.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__ipoptionrestrict"><a name="rzaubeventattack__ipoptionrestrict"><!-- --></a><h4 class="sectiontitle">IP option restrictions</h4><p>The
|
||
|
IP options field in a datagram is a variable-length list of optional information.
|
||
|
Some of the IP Options, such as Loose Source Route, can be used in network
|
||
|
attacks. You can use the IDS policy to restrict which IP options that an inbound
|
||
|
packet can contain. For example, you can specify whether an inbound packet
|
||
|
with a restricted IP option <span>be ignored or audited</span>.
|
||
|
You also can generate statistics on the number of inbound packets with restricted
|
||
|
IP options. </p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__ipprotocol"><a name="rzaubeventattack__ipprotocol"><!-- --></a><h4 class="sectiontitle">IP protocol restrictions</h4><p>The IP
|
||
|
protocol field is an 8-bit field in the IP header. Undefined IP protocols
|
||
|
are sometimes used to establish back door attacks on the network. You can
|
||
|
use the IDS policy to restrict which IP protocols that an inbound packet can
|
||
|
contain. The policy can specify whether an inbound packet with a restricted
|
||
|
IP protocol be audited. You also can generate statistics on the number of
|
||
|
inbound packets with restricted IP protocols.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__synflood"><a name="rzaubeventattack__synflood"><!-- --></a><h4 class="sectiontitle">SYN flood events</h4><p>TCP SYN flood events
|
||
|
create a large number of half-open sockets. These flood events fill up the
|
||
|
socket connection backlog for a given application and deny valid connections
|
||
|
from being accepted. A SYN flood event spoofs the source IP address with the
|
||
|
address of an unreachable system. The IDS policy flags SYN flood events and
|
||
|
writes an audit record.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__icmp"><a name="rzaubeventattack__icmp"><!-- --></a><h4 class="sectiontitle">ICMP redirect events</h4><p>You
|
||
|
can use Internet Control Message Protocol (ICMP) redirect messages to override
|
||
|
intended network routes. You can specify the IGNOREREDIRECT option in the
|
||
|
IDS policy file to either ignore or process ICMP redirect messages.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzaubeventattack__echo"><a name="rzaubeventattack__echo"><!-- --></a><h4 class="sectiontitle">Perpetual echo on UDP ports</h4><p>You
|
||
|
can use port 7, which is called the <dfn class="term">echo port</dfn>, to test a UDP
|
||
|
connection. (Both the source port and target port are set to port 7, which
|
||
|
causes each port to echo back what it gets.) Whatever data is sent through
|
||
|
UDP is echoed back. A perpetual echo is an attack on UDP port 7. The TCP/IP
|
||
|
stack detects the event if the source port is equal to the target port. If
|
||
|
there is an IDS policy for attack-type events, the system writes an audit
|
||
|
record whenever it detects a perpetual echo attack on the UDP port. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaubanalyze.htm" title="Learn how to analyze the auditing data for intrusion detection activities, and obtain reference information about the fields in the IM audit record.">Analyze the auditing data</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|