Packet Anomaly protection detects and provides protection against packet anomalies. Generally whenever a packet matching one of the predefined checks arrives it is automatically blocked, discarded, and reported. However you may wish to allow certain anomalous traffic to flow through the device without inspection.
The Packet Anomalies Table window enables you to allow certain packets to pass through the device without inspection as well as defining the risk factor.
This feature is not supported on management interfaces.
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.
To configure the Packet Trace status
Select DefensePro > Packet Anomalies > Table.
From the Packet Trace Status drop-down list, select enable or disable.
Click Set.
To configure the packet anomalies parameters
Select DefensePro > Packet Anomalies > Table.
Select the relevant ID from the table.
Configure the parameters, and click Set.
Parameter |
Description |
ID |
(Read-only) The ID number for the packet-anomaly protection. |
Name |
(Read-only) The name of the packet-anomaly protection. |
Risk |
The risk associated with the trap for the specific anomaly. Values: Info, Low, Medium, High Default: Info |
Action |
The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection. Values:
|
Report Action |
The action that the DefensePro device takes on the anomalous packets when the specified Action is report or no-report. The Report Action is only for the specified packet-anomaly protection. Values:
Note: You cannot select process for the following packet-anomaly protections:
|
Default Configuration of Packet-Anomaly Protections
Anomaly |
Description |
Unrecognized L2 Format (This anomaly is available only on x412 platforms. This anomaly cannot be sampled.) |
Packets with more than two VLAN tags, L2 broadcast, or L2 multicast traffic. ID: 100 Default Action: No Report Default Report Action: Process Default Risk: Low |
Incorrect IPv4 Checksum (This anomaly is available only on x412 platforms. This anomaly cannot be sampled.) |
The IP packet header checksum does not match the packet header. ID: 103 Default Action: Drop Default Report Action: Process Default Risk: Low |
Invalid IPv4 Header or Total Length |
The IP packet header length does not match the actual header length, or the IP packet total length does not match the actual packet length. ID: 104 Default Action: Drop Report Action: Bypass Default Risk: Low |
TTL Less Than or Equal to 1 |
The TTL field value is less than or equal to 1. ID: 105 Default Action: Report Default Report Action: Process Default Risk: Low |
Inconsistent IPv6 Headers |
Inconsistent IPv6 headers. ID: 107 Default Action: Drop Report Action: Bypass—You cannot select Process for this packet-anomaly protection. Default Risk: Low |
IPv6 Hop Limit Reached |
IPv6 hop limit is not greater than 1. ID: 108 Default Action: Report Default Report Action: Process Default Risk: Low |
Unsupported L4 Protocol |
Traffic other than UDP, TCP, ICMP, or IGMP. ID: 110 Default Action: No Report Default Report Action: Process Default Risk: Low |
Invalid TCP Flags |
The TCP flags combination is not according to the standard. ID: 113 Default Action: Drop Default Report Action: Process Default Risk: Low |
Source or Dest. Address same as Local Host |
The IP packet source address or destination address is equal to the local host. ID: 119 Default Action: Drop Default Report Action: Process Default Risk: Low |
Source Address same as Dest Address (Land Attack) |
The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack. ID: 120 Default Action: Drop Default Report Action: Process Default Risk: Low |
L4 Source or Dest. Port Zero |
The Layer 4 source port or destination port equals zero. ID: 125 Default Action: Drop Default Report Action: Process Default Risk: Low |
Invalid L4 Header Length |
The length of the Layer 4, TCP/UDP/SCTP header is invalid. ID: 131 Default Action: Drop Report Action: Bypass—You cannot select Process for this packet-anomaly protection. Default Risk: Low |