TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1066
Signature ID: 100102
IP Fragmented Data for Zero Data Length
Threat Level: Critical
Signature Description: IP has the mechanism to send very large data (data greater than MTU) by means of
fragmentation. Under this mechanism, The entire data packet is broken into smaller pieces (fragments) and these
fragments are sent across the network to destination. Destination machine reassemble these fragments into the whole
data. This rule hits when system detects a packet wherein the Ip length is zero still fragment flag is set. This is very
unusual as if there is no data to send, then what is the need to fragment the packet. Such type of traffic is generally sent
to launch some kind of DOS. The administrator should monitor carefully.
Signature ID: 100104
IP Fragment Size Less Than Configured Minimum Fragment Size
Threat Level: Critical
Signature Description: According to RFC 791, "Every internet module must be able to forward a datagram of 68 octets
without further fragmentation. This is because an internet header may be up to 60 octets, and the minimum fragment is
8 octets." Based on the network traffic behavior, an administrator can configure the minimum fragment limit for his
(her) network. system provides this facility to configure minimum fragment limit. This rule hits when system detects a
packet whose fragment size is less than the configured minimum fragment size. Such type of traffic is generally sent to
launch some kind of DOS. The administrator should monitor carefully.
Signature ID: 100105
IP Reassembly Fragment Count Exceeds Configured Maximum Limit
Threat Level: Critical
Signature Description: According to RFC 791, "Every internet module must be able to forward a datagram of 68 octets
without further fragmentation." The main purpose of fragmenting the data is to allow very large packet to go across the
internet to reach its destination. However, there are many DOS attacks reported in the literature that exploit this
mechanism of fragmentation to crash the end system. Based on the network traffic behavior, an administrator can
configure the maximum fragmentation count limit for his (her) network. Maximum Fragmentation Count is the
maximum number of IP fragments that are allowed to be acceptable. system provides this facility to configure
maximum fragmentation count limit. This rule hits when system detects the number of IP fragments are more than the
configured value. Such type of traffic is generally sent to launch some kind of DoS. The administrator should monitor
carefully.
Signature ID: 100106
IP Last Fragment Retransmission with Different Length
Threat Level: Critical
Signature Description: IP has the mechanism to send very large data (data greater than MTU) by means of
fragmentation. Under this mechanism, The entire data packet is broken into smaller pieces (fragments) and these
fragments are sent across the network to destination. At destination, the fragments are reassembled to get whole data.
This rule hits when system detects the retransmission of last fragment whose length is different from the original last
fragment. This event may be a genuine attempt to do some malicious activity or an network abnormality/anomaly.
Signature ID: 100107
IP Reassembly : Overlapped IP fragment received
Threat Level: Critical
Signature Description: An IP fragment overlap is identified when two fragments contained within the same IP
datagram have offsets that indicate that they share positioning within the datagram. This could mean that fragment A is
being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some