TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1053
Signature ID: 100001
IP Land Attack Detected
Threat Level: Critical
Signature Description: Land attack is one of the many DoS attacks, which exploits a buggy implementation of TCP/IP
stack on certain OS. Under the normal TCP/IP handshake, client sends a SYN packet, which is replied by the server
with SYN+ACK and finally connection is established by client to send ACK pack. Under this attack, the attacker sends
an spoofed IP packet with source IP and destination IP identical. The destiation IP is of victim's. This is done in the
first packet of the TCP connection i.e. packet with SYN flag set. On receiving such a packet, the victim machine gets
confused and starts sending reply (i.e. SYN+ACK) to itself in endless loop, which results in either a slowdown or total
crash of the machine. Apart from many old *nix platforms, Windows 95, NT and XP SP2 are affected by this attack.
Sun OS, BSD and Macs are all found vulnerable to this attack and all these systems share a BSD based TCP/IP stack.
Signature ID: 100002
IP Spoofed Packet Detected
Threat Level: Critical
Signature Description: Most of the time, any experienced attacker will not use its own machine's IP. Instead (s)he
crafts a packet with some other source IP address (fake or genuine IP) to attack victims. Such fake IP address is called
spoofed IP. The presence of spoofed IP logs indicates a possible attempt to do some malicious activities. However,
based on the deployment of IPS, there can be some false positives. IPS device generates this log if any packet with its
source IP as that of some inside IP range, arrives from outside interface. Therefore, for example, if the 2 interfaces of
IPS device are terminating on the same hub, there is a chance that this log will pop up. The administrator should check
the deployment scenario first before taking any action.
Signature ID: 100003
Invalid TCP Connection Request
Threat Level: Critical
Signature Description: According to the RFC 793 (old version 761), TCP is statefull protocol. Before transferring the
data, it establishes a connection between client and server. This connection establishment involves a procedure called,
TCP Three-Way Handshake. During this, client sends a packet with SYN flag set (only SYN); server acknowledges
this by sending a packet with SYN & ACK flags and finally client also acknowledges this packet by sending packet
with ACK flag set. During three-way handshake, any packets, other than the ones described above (except RST) are
considered as anomalous, as it is against TCP statefullness. This rule triggers when any packet, other than packet with
SYN flag, is received as the first packet for a TCP connection. This can be a false positive also in the case when the
connection is inactive for along time and IPS device removes the association for the corresponding TCP session.
However, the presence of such logs indicates a possible Port Scan, possibly by using FIN or RST scan methods.
Signature ID: 100004
Invalid ACK number in SYN+ACK Packet for a SYN packet During TCP Three-Way
Handshake (Syn-Cookies)
Threat Level: Critical
Signature Description: TCP is a stateful protocol (RFC 793), which implies that a connection is established first and
then data starts flowing. Each TCP connection starts with three-way handshake. The client sends a packet with SYN
flag set, which is replied back by the server with a packet with SYN+ACK flags are set. Finally the connection is
established when client sends a packet with ACK flag set. The ACK number in SYN+ACK packet is equal to SYN+1
of the first SYN packet. This rule hits when system detects (after entering into Syn-cookies state, i.e. state of
overloaded TCP connections) a SYN+ACK packet in which ACK value is not equal to SYN+1 of the previous packet.
Such packet does not present any security risk as such, but indicates network protocol anomaly.