Symantec™ Security Gateways Reference Guide - Sawmill

298 IDS eventsDenial-of-ServiceResponse:Affected:Response to this attack typically includes applying a patch from the vendor to fix the vulnerabilityon the victim system.No specific targets.False Positives: None known.Fragmentation AttackBase Event:Details:Response:Affected:IP_FRAG_OVERDROP3An “overdrop” attack was detected. An “overdrop” attack involves an attacker sending oversized IPpackets. This triggers a bug in the victim systems which can cause performance problems.The IP_FRAG_OVERDROP3 event corresponds to detecting that fragments received wouldreassemble to a IPV4 datagram larger than 65535 bytes by sending out of order fragments suchthat the IP header of the reassembled datagram contains options, making the IP header larger thanthe standard 20 bytes allowed for average IP headers, and that this in conjunction with fragmentsalready received would reassemble into a datagram larger than 65535 bytes. TheIP_FRAG_OVERDROP3 event differs from OVERDROP2 (even though both detect overdrop as aresult of an out of order offset zero fragment using IP header options to push an alreadyreassembled datagram past the 65535 byte limit) in that the OVERDROP3 event is only thrownwhen both the first and last fragments have been seen for the given datagram reassembly, butOVERDROP2 does not require that the last fragment has been seen.Response to this attack typically includes applying a patch from the vendor to fix the vulnerabilityon the victim system.No specific targets.False Positives: None known.Fragmentation AttackBase Event:Details:Response:Affected:IP_FRAG_TEARDROPA “teardrop” attack was detected. A “teardrop” attack involves an attacker sending a packetfragment containing improperly overlapping fragments. This triggers a bug in the victim systemswhich can cause crashes or performance problems.Response to this attack typically includes applying a patch from the vendor to fix the vulnerabilityon the victim system.No specific targets.False Positives: None known.References:CVE-1999-0015ICMP FloodBase Event:Details:Response:COUNTER_ICMP_HIGHICMP traffic is consuming an unusually large percentage of a network link. This is an attempt toflood the target network, usually with ICMP echo requests. An attacker may use the “ping” tool tosend a large number of echo requests to the victim system in an attempt to consume most or all ofthe victim’s network capacity.Responses to ICMP floods typically include installing some sort of temporary network filter toeliminate the inbound packets and then locating and terminating the source of the flood. Note thatin some floods the source addresses of the flooding packets may be forged to make the locationeffort more difficult.