The intrusion detection system detects different types of attack events and writes an IM audit record in the QAUDJRN audit journal.
The number of audit records that the system generates depends on the value of the maximum event message in the IDS policy.
A malformed packet is built in such a way as to cause a system to crash or hang when it is processed. When the IDS policy detects a malformed packet, it writes an audit record. The TCP/IP stack deletes the malformed packets.
An invalid fragment overlays IP or transport headers in an attempt to bypass firewall checks. On the iSeries™ system, it is not possible to overlay an IP header. The TCP/IP stack checks to ensure that the first fragment of a fragmented datagram is a minimum of 576 bytes. The stack also checks that each fragment beyond the first one has an offset of greater than 256 bytes.
The IDS policy audits invalid IP fragments.
The IP options field in a datagram is a variable-length list of optional information. Some of the IP Options, such as Loose Source Route, can be used in network attacks. You can use the IDS policy to restrict which IP options that an inbound packet can contain. For example, you can specify whether an inbound packet with a restricted IP option be ignored or audited. You also can generate statistics on the number of inbound packets with restricted IP options.
The IP protocol field is an 8-bit field in the IP header. Undefined IP protocols are sometimes used to establish back door attacks on the network. You can use the IDS policy to restrict which IP protocols that an inbound packet can contain. The policy can specify whether an inbound packet with a restricted IP protocol be audited. You also can generate statistics on the number of inbound packets with restricted IP protocols.
TCP SYN flood events create a large number of half-open sockets. These flood events fill up the socket connection backlog for a given application and deny valid connections from being accepted. A SYN flood event spoofs the source IP address with the address of an unreachable system. The IDS policy flags SYN flood events and writes an audit record.
You can use Internet Control Message Protocol (ICMP) redirect messages to override intended network routes. You can specify the IGNOREREDIRECT option in the IDS policy file to either ignore or process ICMP redirect messages.
You can use port 7, which is called the echo port, to test a UDP connection. (Both the source port and target port are set to port 7, which causes each port to echo back what it gets.) Whatever data is sent through UDP is echoed back. A perpetual echo is an attack on UDP port 7. The TCP/IP stack detects the event if the source port is equal to the target port. If there is an IDS policy for attack-type events, the system writes an audit record whenever it detects a perpetual echo attack on the UDP port.