TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

361

362

363

364

365

366

367

368

369

370

ProCurve TMS zl Module IPS/IDS Signature

Reference Guide Version RLX.10.2.2.94

366

all three, based on the commands from Handlers. Communication between handlers and agents is achieved using the

UDP protocol(18753/udp).This signature detects traffic from Shaft handler to a client.

Signature ID: 4100

Shaft DDoS tool SYNflood attack detection

Threat Level: Warning

Industry ID: CVE-2000-0138

Nessus: 10501

Signature Description: A distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource

unavailable to its intended users using multiple attack machines. Shaft is a DDoS tool which consists of handlers,

clients and agents. Handlers work as master to order agent to launch DoS. The rule triggers when handler and therefore,

agent launches a SYN flood against a target.

Signature ID: 4101

DDOS tfn2k icmp possible communication

Threat Level: Severe

Industry ID: CVE-2000-0138 Nessus: 10501

Signature Description: Tribal Flood Network 2000 (TFN2k) is a distributed denial of service tool that can perform a

number of different types of floods against a host. The TFN2K client can be used to send various commands to the

master for execution, including commands to flood a target machine or set of target machines. The client can send

commands using ICMP broadcast packets. This flood attacks cause the target machine to slow down because of the

processing required to handle the incoming packets, leaving little or no network bandwidth. Here the Denial of service

attack can cause the target system to crash. This ICMP traffic is sent between Tribe Flood Network 2000 (TFN2K)

hosts.

Signature ID: 4102

Ascend MAX UDP Port 9 DOS Vulnerability

Threat Level: Severe

Industry ID: CVE-1999-0060 Bugtraq: 714

Signature Description: Ascend routers run configuration software that is able to locate other Ascend routers by

broadcasting on UDP port 9. Lucent Ascend TNT Router 2.0, Lucent Ascend TNT Router 1.0 and Lucent Ascend

Pipeline Router 1.0 to Lucent Ascend Pipeline Router 6.0 and Lucent Ascend MAX Router 1.0 toLucent Ascend MAX

Router 5.0 are vulnerable versions. The port 9 is listened on by the Java Configurator tool. A remote attackercan send

packet with a specially crafted payload can cause the routers to reboot.

Signature ID: 4103

TCP Spoofed Reset Packet Denial of Service Vulnerability

Threat Level: Severe

Industry ID: CVE-2004-0230 Bugtraq: 10183 Nessus: 12213

Signature Description: This rule detects a vulnerability in implementation of TCP protocol by several vendors which

allows the remote attackers to reset an established TCP session. This vulnerability allows to accept TCP sequence

numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote

attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of

service attacks. An attacker would exploit this vulnerability by sending a packet to the target TCP/IP implementation

with an approximated sequence number and a forged source IP and TCP port. Border Gateway Protocol (port 179) is

the most affected application protocol with this vulnerability, because it maintains long TCP sessions.