TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1062
Signature ID: 100046
ICMP Echo Response for Unknown Sequence Number
Threat Level: Critical
Signature Description: ICMP is a protocol used to test the connectivity between hosts or networks. ICMP works over
IP. There are few fields in ICMP packets and "sequence" is one of them. This field is used to help match echo requests
to the associated reply. It may be zero. This rule hits when IPS device detects an ICMP response for which there is not
corresponding request recorded. Such type of packets may arrive to flood a system also. the administrator is advised to
monitor the host.
Signature ID: 100047
IP Packet with Zero Total Length Field
Threat Level: Critical
Signature Description: According to RFC 791, each IP packet contains a non-zero "Total Length" (TL) field. This field
denotes total length of the datagram. This rule hits when system detects an IP packet with TL set to zero. This may not
present a security risk, but few OS may show some abnormal behavior. This is a network anomaly.
Signature ID: 100048
Source Routing Option Set in IP Packet
Threat Level: Critical
Signature Description: The loose source and record route (LSRR) option provides a means for the source of an internet
datagram to supply routing information to be used by the gateways in forwarding the datagram to the destination, and
to record the route information. The loose source route ( LSR) option was added to the IP protocol in order to assist in
route debugging. Nowadays, it is mostly used by large ISPs, to make sure that their peers aren't inappropriately
dumping traffic onto their backbone links. A packet is given a list of desired hops that should be taken on the way to
the final destination. A loose source routed packet carries the same source IP address through all of its hops. The
destination IP address will be set to whatever the IP of its next hop is. The main security problem with LSR is that
several IP stacks will reverse a source route when responding to a source routed packet. As a result, it would be trivial
for an attacker to spoof a packet as coming from a trusted IP address that happens to be source routed through an IP
address that the attacker can sniff on. The unsuspecting victim would then send return traffic to the spoofed source, but
routing it using LSR through the attacker. The attacker can thus capture entire TCP sessions without exploiting any
weakness in the TCP/IP stacks. Another security problem is that if NAT box or some other internal, non-publicly
routed IP space is adjacent to a box that forwards source routed packets, a remote attacker will be able to access the
network devices without public IPs by using the router that forwards LSR packets as a bounce point. Mostly, in normal
network traffic, LSR option is rarely used and any packet with this option set should be monitored carefully for
malicious activity.
Signature ID: 100049
Unaligned Timestamp Option In IP Packet
Threat Level: Critical
Signature Description: IP header has a field "Timestamp" to provide the option for inserting timestamp for every
packet. This service is available under "options" field of IP packet. These options are aligned to 4-byte boundary. There
are few implementation of IP stacks which are unable to handle unaligned Timestamp option. For example, It is
possible to cause a kernel panic on systems running NetBSD by sending a packet remotely with an unaligned IP
Timestamp option. This rule hits when IPS device detecs an IP packet with unaligned Timestamp option set. This log
can be ignored if the remote systems are patched.