TMS zl Management and Configuration Guide ST.1.2.100916
6-9
Intrusion Detection and Prevention
IDS/IPS Concepts
Reconnaissance
Reconnaissance attacks are internal or external and are intentional. Less
straightforward than brute force or other unauthorized access attacks, recon-
naissance attacks rely on several methods for detecting vulnerabilities in your
network so that any discovered vulnerabilities can be exploited.
For example, network administrators use network mapping and enumeration
software to verify their network security. However, this software, which is
freely available on the Internet, can also be used as part of an attack. Attackers
can use it to gain information about endpoints and applications on your
network before even attempting to breach the network perimeter security.
Attackers can quickly and quietly discover a large amount of information
about your network, including Service Pack and Hotfix information, ICMP and
DNS Resolution, the Operating System running on your network and many
other network vulnerabilities.
Protocol Anomalies
It is possible to generate packets that follow a protocol’s specifications but
have no legitimate purpose. These packets are referred to as protocol anom-
alies because the protocol is being used in a way that is inconsistent with
common practice, not because the packet causes network traffic to deviate
from normal behavior.
Attackers can exploit protocol anomalies to get around protections, to put
characteristics of a protocol to unforeseen (and illegitimate) uses, or simply
to crash systems that do not know how to treat the anomaly.
Often exploited protocols are ICMP, IP, TCP, and UDP. Two examples of
protocol anomaly attacks are:
■ Teardrop attack
The attacker exploits the fragmentation of IP packets. Packets are inten-
tionally fragmented with overlapping offset fields (the field that deter-
mines the fragment’s position in the original packet). The conflicting
offset values cause the receiving device to crash when it attempts to
reassemble the packets.
■ Land attack
The attacker exploits the TCP protocol by sending a stream of TCP SYN
packets that have the same source and destination IP addresses and TCP
port number. This creates an unending loop of traffic as the network
device tries to establish a session with itself. All available resources
become consumed by the looped traffic, causing a denial of service.