TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
1067
operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in
other undesirable ways upon receipt of overlapping fragments. This is the basis for the so called teardrop Denial of
service Attacks.<br><br>A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized,
payloads to the target machine. A bug in the TCP/IP fragmentation re-assembly code of various operating systems
causes the fragments to be improperly handled, crashing them as a result of this. Windows 3.1x, Windows 95 and
Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this
attack.
Signature ID: 100108
IP Reassembled Datagram Size Exceeds Maximum Set Limit
Threat Level: Critical
Signature Description: IP has the mechanism to send very large data (data greater than MTU) by means of
fragmentation. Under this mechanism, The entire data packet is broken into smaller pieces (fragments) and these
fragments are sent across the network to destination. At destination, the fragments are reassembled to get whole data. It
has been observed that few OS tend to show an unstable behavior if the reassembled data is very huge. system provides
a command to limit the size of data after reassembly. This rule hits when system detects data which crosses the set
limit, when reassembled by system. Such type of traffic is generally sent to launch some kind of DoS. The
administrator should monitor carefully.
Signature ID: 100109
IpReassembly time out
Threat Level: Critical
Signature Description: IP fragmentation is a well known evasion technique used to bypass the IPS detection and as a
precaution IPS reassemble the IP fragments before checking for the attacks As part of this, it also check for some well
known reassembly attacks.This event log is generated when time out occurred while waiting for further fragments of a
fragmented packet, and the entire packet is discarded. The possible reason is just a network congestions somewhere and
because of that some of the fragment got dropped in between or it may be because of a DOS attack for filling the IP
reassembly database.
Signature ID: 100140
TCP Checksum error
Threat Level: Critical
Signature Description: The Transmission Control Protocol is designed to provide reliable data transfer between a pair
of devices on an IP inter-network. Much of the effort required to ensure reliable delivery of data segments is of
necessity focused on the problem of ensuring that data is not lost in transit. But there's another important critical
impediment to the safe transmission of data: the risk of errors being introduced into a TCP segment during its travel
across the inter-network. To provide basic protection against errors in transmission, TCP includes a 16-bit Checksum
field in its header. The idea behind a checksum is very straight-forward: take a string of data bytes and add them all
together. Then send this sum with the data stream and have the receiver check the sum. During the packet processing,
before the application protocol parsing, IPS ensure the TCP checksum is correct because this is one of the methods
used by attackers to evade the IPS check. An attacker sends a normal packet ( a packet with no vulnerability ), but by
putting a wrong check sum in the TCP header of that packet, The victim system will drop the packet. Then, the attacker
will send a vulnerable packet, with same sequence number as the previous packet to the target system. IPS will treat
this packet as a retransmitted packet and will allow the packet to pass. So, it is important from IPS point of view to
drop the packet with wrong check sum. This log is generated when the TCP checksum check calculation fail in IPS.
One or two such log may be caused by some transmission error in network. But excessive number of such errors from
one particular system should be looked suspiciously for malicious activity.