|
|
|
|
|
Flood |
Ethernet Broadcast Packet |
ether-brdcst-pkt |
Ethernet broadcast packet flood |
Yes |
Flood |
Ethernet Multicast Packet |
ether-multicst-pkt |
Ethernet destination is not broadcast, but is multicast |
Yes |
Flood |
ARP Flood |
arp-flood |
ARP packet flood |
Yes |
Flood |
IP Fragment Flood |
ip-frag-flood |
Fragmented packet flood with IPv4 |
Yes |
Flood |
IGMP Flood |
igmp-flood |
Flood with IGMP packets (IPv4 packets with IP protocol number 2) |
Yes |
Flood |
Routing Header Type 0 |
routing-header-type-0 |
Routing header type zero is present in flood packets |
Yes |
Flood |
IPv6 Fragment Flood |
ipv6-frag-flood |
Fragmented packet flood with IPv6 |
No |
Flood |
IGMP Fragment Flood |
igmp-frag-flood |
Fragmented packet flood with IGMP protocol |
Yes |
Flood |
TCP SYN Flood |
tcp-syn-flood |
TCP SYN flood |
Yes |
Flood |
TCP SYN ACK Flood |
tcp-synack-flood |
TCP SYN/ACK flood |
Yes |
Flood |
TCP RST Flood |
tcp-rst-flood |
TCP RST flood |
Yes |
Flood |
TCP Window Size |
tcp-window-size |
The TCP window size in packets is above the maximum. To tune this value, in
tmsh: modify sys db dos.tcplowwindowsize
value
, where value is
<=128. |
Yes |
Flood |
ICMPv4 Flood |
icmpv4-flood |
Flood with ICMP v4 packets |
Yes |
Flood |
ICMPv6 Flood |
icmpv6-flood |
Flood with ICMP v6 packets |
Yes |
Flood |
UDP Flood |
udp-flood |
UDP flood attack |
Yes |
Flood |
TCP SYN Oversize |
tcp-syn-oversize |
Detects TCP data SYN packets larger than the maximum specified by the
dos.maxsynsize parameter. To tune this value, in tmsh:
modify sys db dos.maxsynsize value
. The
default size is 64 and the maximum allowable value is
9216. |
Yes |
Flood |
TCP BADACK Flood |
tcp-ack-flood |
TCP ACK packet flood |
No |
Bad Header - L2 |
Ethernet MAC Source Address == Destination Address |
ether-mac-sa-eq-da |
Ethernet MAC source address equals the destination address |
Yes |
Bad Header - IPv4 |
Bad IP Version |
bad-ver |
The IPv4 address version in the IP header is not 4 |
Yes |
Bad Header - IPv4 |
Header Length Too Short |
hdr-len-too-short |
IPv4 header length is less than 20 bytes |
Yes |
Bad Header - IPv4 |
Header Length > L2 Length |
hdr-len-gt-l2-len |
No room in layer 2 packet for IP header (including options) for IPv4
address |
Yes |
Bad Header - IPv4 |
L2 Length >> IP Length |
l2-len-ggt-ip-len |
Layer 2 packet length is much greater than the payload length in an IPv4
address header and the layer 2 length is greater than the minimum packet
size |
Yes |
Bad Header - IPv4 |
No L4 |
no-l4 |
No layer 4 payload for IPv4 address |
Yes |
Bad Header - IPv4 |
Bad IP TTL Value |
bad-ttl-val |
Time-to-live equals zero for an IPv4 address |
Yes |
Bad Header - IPv4 |
TTL <= <tunable> |
ttl-leq-one |
An IP packet with a destination that is not multicast and that has a TTL
greater than 0 and less than or equal to a tunable value, which is 1 by default. To
tune this value, in tmsh: modify sys db dos.iplowttl
value
, where value is
1-4. |
Yes |
Bad Header - IPv4 |
IP Error Checksum |
ip-err-chksum |
The header checksum is not correct |
Yes |
Bad Header - IPv4 |
IP Option Frames |
ip-opt-frames |
IPv4 address packet with option.db variable
tm.acceptipsourceroute must be enabled to receive IP
options. |
Yes |
Bad Header - IPv4 |
Bad Source |
ip-bad-src |
The IPv4 source IP = 255.255.255.255 or
0xe0000000U
|
Yes |
Bad Header - IPv4 |
IP Option Illegal Length |
bad-ip-opt |
Option present with illegal length |
No |
Bad Header - IPv4 |
Unknown Option Type |
unk-ipopt-type |
Unknown IP option type |
No |
Bad Header - IGMP |
Bad IGMP Frame |
bad-igmp-frame |
IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either
0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be
non-zero only if bits 7:0 are 0x11, or else the header is bad. |
Yes |
Fragmentation |
IP Fragment Too Small |
ip-short-frag |
IPv4 short fragment error |
Yes |
Fragmentation |
IPv6 Fragment Too Small |
ipv6-short-frag |
IPv6 short fragment error |
Yes |
Fragmentation |
IPV6 Atomic Fragment |
ipv6-atomic-frag |
IPv6 Frag header present with M=0 and FragOffset =0 |
Yes |
Fragmentation |
ICMP Fragment |
icmp-frag |
ICMP fragment flood |
Yes |
Fragmentation |
IP Fragment Error |
ip-other-frag |
Other IPv4 fragment error |
Yes |
Fragmentation |
IPV6 Fragment Error |
ipv6-other-frag |
Other IPv6 fragment error |
Yes |
Fragmentation |
IP Fragment Overlap |
ip-overlap-frag |
IPv4 overlapping fragment error |
No |
Fragmentation |
IPv6 Fragment Overlap |
ipv6-overlap-frag |
IPv6 overlapping fragment error |
No |
Bad Header - IPv6 |
Bad IPV6 Version |
bad-ipv6-ver |
The IPv6 address version in the IP header is not 6 |
Yes |
Bad Header - IPv6 |
IPV6 Length > L2 Length |
ipv6-len-gt-l2-len |
IPv6 address length is greater than the layer 2 length |
Yes |
Bad Header - IPv6 |
Payload Length < L2 Length |
payload-len-ls-l2-len |
Specified IPv6 payload length is less than the L2 packet length |
Yes |
Bad Header - IPv6 |
Too Many Extension Headers |
too-many-ext-hdrs |
For an IPv6 address, there are more than <tunable> extended headers (the
default is 4). To tune this value, in
tmsh: modify sys db dos.maxipv6exthdrs
value
, where value is
0-15. |
Yes |
Bad Header - IPv6 |
IPv6 duplicate extension headers |
dup-ext-hdr |
An extension header should occur only once in an IPv6 packet, except for the
Destination Options extension header |
Yes |
Bad Header - IPv6 |
IPv6 extension header too large |
ext-hdr-too-large |
An extension header is too large. To tune this value, in
tmsh: modify sys db dos.maxipv6extsize
value
, where value is
0-1024. |
Yes |
Bad Header - IPv6 |
No L4 (Extended Headers Go To Or Past End of Frame) |
l4-ext-hdrs-go-end |
Extended headers go to the end or past the end of the L4 frame |
Yes |
Bad Header - IPv6 |
Bad IPV6 Hop Count |
bad-ipv6-hop-cnt |
Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are
bad |
Yes |
Bad Header - IPv6 |
IPv6 hop count <= <tunable> |
hop-cnt-leq-one |
The IPv6 extended header hop count is less than or equal to <tunable>. To
tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt
value
, where value is
1-4. |
Yes |
Bad Header - IPv6 |
IPv6 Extended Header Frames |
ipv6-ext-hdr-frames |
IPv6 address contains extended header frames |
Yes |
Bad Header - IPv6 |
IPv6 extended headers wrong order |
bad-ext-hdr-order |
Extension headers in the IPv6 header are in the wrong order |
Yes |
Bad Header - IPv6 |
Bad IPv6 Addr |
ipv6-bad-src |
IPv6 source IP = 0xff00::
|
Yes |
Bad Header - TCP |
TCP Header Length Too Short (Length < 5) |
tcp-hdr-len-too-short |
The Data Offset value in the TCP header is less than five 32-bit words |
Yes |
Bad Header - TCP |
TCP Header Length > L2 Length |
tcp-hdr-len-gt-l2-len |
|
Yes |
Bad Header - TCP |
Unknown TCP Option Type |
unk-tcp-opt-type |
Unknown TCP option type |
Yes |
Bad Header - TCP |
Option Present With Illegal Length |
opt-present-with-illegal-len |
Option present with illegal length |
Yes |
Bad Header - TCP |
TCP Option Overruns TCP Header |
tcp-opt-overruns-tcp-hdr |
The TCP option bits overrun the TCP header |
Yes |
Bad Header - TCP |
Bad TCP Checksum |
bad-tcp-chksum |
The TCP checksum does not match |
Yes |
Bad Header - TCP |
Bad TCP Flags (All Flags Set) |
bad-tcp-flags-all-set |
Bad TCP flags (all flags set) |
Yes |
Bad Header - TCP |
Bad TCP Flags (All Cleared) |
bad-tcp-flags-all-clr |
Bad TCP flags (all cleared and SEQ#=0) |
Yes |
Bad Header - TCP |
SYN && FIN Set |
syn-and-fin-set |
Bad TCP flags (SYN and FIN set) |
Yes |
Bad Header - TCP |
FIN Only Set |
fin-only-set |
Bad TCP flags (only FIN is set) |
Yes |
Bad Header - TCP |
TCP Flags - Bad URG |
tcp-bad-urg |
Packet contains a bad URG flag, this is likely malicious |
Yes |
Bad Header - ICMP |
Bad ICMP Checksum |
bad-icmp-chksum |
An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the
packet |
Yes |
Bad Header - ICMP |
Bad ICMP Frame |
bad-icmp-frame |
The ICMP frame is either the wrong size, or not of one of the valid IPv4 or
IPv6 types. Valid IPv4 types:
- 0 Echo Reply
- 3 Destination Unreachable
- 4 Source Quench
- 5 Redirect
- 8 Echo
- 11 Time Exceeded
- 12 Parameter Problem
- 13 Timestamp
- 14 Timestamp Reply
- 15 Information Request
- 16 Information Reply
- 17 Address Mask Request
- 18 Address Mask Reply
Valid IPv6 types:
- 1 Destination Unreachable
- 2 Packet Too Big
- 3 Time Exceeded
- 4 Parameter Problem
- 128 Echo Request
- 129 Echo Reply
- 130 Membership Query
- 131 Membership Report
- 132 Membership Reduction
|
Yes |
Bad Header - ICMP |
ICMP Frame Too Large |
icmp-frame-too-large |
The ICMP frame exceeds the declared IP data length or the maximum datagram
length. To tune this value, in tmsh: modify sys db
dos.maxicmpframesize value
, where
value is <=65515. |
Yes |
Bad Header - UDP |
Bad UDP Header (UDP Length > IP Length or L2 Length) |
bad-udp-hdr |
UDP length is greater than IP length or layer 2 length |
Yes |
Bad Header - UDP |
Bad UDP Checksum |
bad-udp-chksum |
The UDP checksum is not correct |
Yes |
Other |
Host Unreachable |
host-unreachable |
Host unreachable error |
Yes |
Other |
TIDCMP |
tidcmp |
ICMP source quench attack |
Yes |
Other |
LAND Attack |
land-attack |
Source IP equals destination IP address |
Yes |
Other |
IP Unknown protocol |
ip-unk-prot |
Unknown IP protocol |
No |
Other |
TCP Half Open |
tcp-half-open |
Specifies the number of new or untrusted TCP connections that can be established.
Overrides the Global SYN Check threshold in Configuration > Local Traffic >
General. |
No |
Bad Header - DNS |
DNS Oversize |
dns-oversize |
Detects oversized DNS headers. To tune this value, in tmsh:
modify sys db dos.maxdnssize value
, where
value is 256-8192. |
Yes |
Bad Header - IPv6 |
IPv4 Mapped IPv6 |
ipv4-mapped-ipv6 |
IPv4 address is in the lowest 32 bits of an IPv6 address. |
Yes |
Single Endpoint |
Single Endpoint Sweep |
sweep |
Sweep on a single endpoint. You can configure packet types to check for, and
packets per second for both detection and rate limiting. |
No |
Single Endpoint |
Single Endpoint Flood |
flood |
Flood to a single endpoint. You can configure packet types to check for, and
packets per second for both detection and rate limiting. |
No |
Bad Header-SCTP |
Bad SCTP Checksum |
bad-sctp-checksum |
Bad SCTP packet checksum |
No |