Symantec™ Security Gateways Reference Guide - Sawmill

IDS eventsDenial-of-Service301SYN FloodBase Event:Details:Response:Affected:COUNTER_ICMP_UDPUNREACHABLE_HIGHThis indicates that a large number of ICMP packets indicating that a UDP destination wasunreachable have been detected. This can indicate UDP flood denial-of-service attack or that a portscan is taking place. UDP floods involve an attacker sending large number of UDP packets to adestination with the intent of overwhelming the system resources on the victim host.Responses to UDP floods typically include installing some sort of temporary network filter toeliminate the traffic while locating the source and terminating it. However since the source addressmay be forged, if the address range is too widely varied or intentionally crafted, such filters mayend up denying service to desired connections as well.No specific targets.False Positives: It is possible that some network condition is denying the UDP packets. Some asymmetric networkconfigurations can cause this type of behavior.Telnet DOSBase Event:Details:Response:Affected:TELNET_LIVINGSTON_DOSA denial-of-service attempt against a Livingston router administration port was detected. This mayindicate an attacker intentionally attempting to prevent access to the victim device.Response typically includes location of the source and termination of the processes generating thetraffic.No specific targets.False Positives: None known.References:CVE-1999-0218http://www.whitehats.com (arachNIDS #370)Telnet SpecificationsUDP FloodBase Event:Details:Response:Affected:COUNTER_UDP_HIGHUDP traffic is consuming more than 90 percent of the network traffic. This is considered unusual.This is an attempt to flood the target network, usually with “garbage” UDP packets. An attackermay use a tool to send a large number of UDP packets to the victim system or network in anattempt to consume most or all of the victim’s network capacity. It may also be an attempt to flooda particular application or service if targeted at a particular address and port.Responses to UDP floods typically include installing some sort of temporary network filter toeliminate the inbound packets and then locating and terminating the source of the flood. Note thatin some floods the source addresses of the flooding packets are forged to make the location effortmore difficult.No specific targets.False Positives: It is possible for legitimate network applications which send large numbers of UDP packets to bedetected as UDP floods. Possible examples of this are multimedia applications, some network filesharing applications and various tunneling tools.References:CERT