TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1065
Signature ID: 100062
IP packet with Source Address as Broadcast Address
Threat Level: Critical
Signature Description: IP Packets using Broadcast Address as Source Address shall be dropped.Some attackers may
use ping with Broadcast Address as Source IP to attack. This rule hits when system detects a packet with source
address as broadcast. The administrators should try to trace the origin for further investigation.
Signature ID: 100063
IP Packet with Destination address as Broadcast address
Threat Level: Critical
Signature Description: Broadcasts will travel to every single client on a network- at least, until a router is encountered.
A router is the only device that can separate a broadcast domain. Logically, this is mandatory for the internet to exist.
Many of the flood attacks like Smurf employ Broadcast addresses in IP packets sent over internet.This rule hits when
system detects a packet with destination address as broadcast address is received from external networks. The
administrators should try to trace the origin for further investigation.
Signature ID: 100064
Reset without ACK Bit Set in Response to SYN
Threat Level: Critical
Signature Description: According to RFC 793,if the incoming segment has an ACK field, the reset takes its sequence
number from the ACK field of the segment, otherwise the reset has sequence number zero and the ACK field is set to
the sum of the sequence number and segment length of the incoming segment.The connection remains in the CLOSED
state.This rule hits when system detects a RST Packet without an ACK during 3-way handshake, i.e. RSET against
SYN packet. It may be normal traffic as it is observed that many windows machines (with IE) tend to terminate the
connection by sending a reset packet without ACK bit set or some large ACK value.
Signature ID: 100100
IP packet length exceeded 64 k bytes
Threat Level: Critical
Signature Description: This rule hit might indicate a possible Denial of service attack which is created when an
attacker sends IP packets larger than 65536 bytes -possible SSPING, targa3, teardrop, jolt or ping of death attacks.The
attack uses the large IP large packets to make a target computer crash when it tries to reassemble the packets.This
attack is easy for the attacker to implement since the attacker only needs to know the IP address of the computer they
want to attack.
Signature ID: 100101
Jolt Attack
Threat Level: Critical
Industry ID: CVE-2000-0305 Bugtraq: 1236
Signature Description: Jolt is an denial of service attack. It sends very large, fragmented ICMP packets to a target
machine, mainly running Windows 95 or NT. The ICMP packets are fragmented in such a way that the target machine
is unable to reassemble them for use. When the ICMP packets are received by the target machine, it freezes up and will
not accept input from the keyboard or mouse. This Denial of Service attack has not been shown to cause significant
damage to affected systems, and a simple reboot is sufficient to recover from an attack. It should be noted, though, that
any unsaved data in open applications will likely be lost. This rule hits when system detects such traffic. (MS00-029)