Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsDenial-of-Service299Affected:No specific targets.False Positives: It is possible for some legitimate network management tools to be detected as ICMP floods.References:CERTIP Fragment FloodBase Event:Details:Response:Affected:COUNTER_IPFRAG_HIGHIP fragments are consuming an unusually large percentage of the network traffic. This is anattempt to flood the target network, usually with “garbage” packets. An attacker may use a tool tosend a large number of IP fragment packets to the victim system or network in an attempt toconsume most or all of the victim’s network capacity. It may also be an attempt to flood a particularapplication or service if targeted at a particular address and port.Responses to IP fragment floods typically include installing some sort of temporary network filterto eliminate the inbound packets and then locating and terminating the source of the flood. Notethat in some floods the source addresses of the flooding packets may be forged to make the locationeffort more difficult.No specific targets.False Positives: It is possible for legitimate network applications which send large numbers of IP fragments as IPfragment floods. Applications which use UDP as a transport layer are more likely to generate thistype of false positive since unlike TCP, UDP has no provisions for breaking up large chunks of data,leaving any such datagram breakup to either the IP layer or the application program.IP Header Length Overruns Packet LengthBase Event:Details:Affected:IP_HEADERLEN_OVERRUNS_PACKETLENAn IP header length of a defragmented IP datagram indicates a IP header length that exceeds theoverall IP packet specified in the IP header.No specific targets.False Positives: None known.Land AttackBase Event:Details:Response:Affected:IP_SRC_DST_SAME_LANDA “land” attack has been detected. A “land” attack involves an attacker sending a packet with thesource and destination addresses set to the same value was detected. This is a well known denialof-serviceattack against some IP stack implementations that results in excessive CPU beingconsumed on the victim host while the host attempts to respond to itself. This attack may be usedboth against hosts and network devices.Response to this attack typically includes applying a patch from the vendor to fix the vulnerabilityon the victim system. Since the source address is forged it is not possible to locate the attacker byexamining the attack packets.No specific targets.False Positives: None known.References:CVE-1999-0016