Packet Anomalies Attacks

Packet Anomaly protection detects and provides protection against packet anomalies. Generally whenever a packet matching one of the predefined checks arrives it is automatically blocked, discarded, and reported. However you may wish to allow certain anomalous traffic to flow through the device without inspection.

The Packet Anomalies Table window enables you to allow certain packets to pass through the device without inspection as well as defining the risk factor.

This feature is not supported on management interfaces.

When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.

To configure the Packet Trace status

  1. Select DefensePro > Packet Anomalies > Table.

  2. From the Packet Trace Status drop-down list, select enable or disable.

  3. Click Set.

 

To configure the packet anomalies parameters

  1. Select DefensePro > Packet Anomalies > Table.

  2. Select the relevant ID from the table.

  3. Configure the parameters, and click Set.

 

Parameter

Description

ID

(Read-only) The ID number for the packet-anomaly protection.

Name

(Read-only) The name of the packet-anomaly protection.

Risk

The risk associated with the trap for the specific anomaly.

Values: Info, Low, Medium, High

Default: Info

Action

The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection.

Values:

  • block—The device discards the anomalous packets and issues a trap.

  • report—The device issues a trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.

  • no-report—The device issues no trap for anomalous packets. If the ReportAction is Process, the packet goes to the rest of the device modules. If the ReportAction is Bypass, the packet bypasses the rest of the device modules.

Report Action

The action that the DefensePro device takes on the anomalous packets when the specified Action is report or no-report. The Report Action is only for the specified packet-anomaly protection.

Values:

  • bypass—The anomalous packets bypass the device.

  • process—The DefensePro modules process the anomalous packets. If the anomalous packets are part of an attack, DefensePro can mitigate the attack.

Note: You cannot select process for the following packet-anomaly protections:

  • 104—Invalid IP Header or Total Length

  • 107—Inconsistent IPv6 Headers

  • 131—Invalid L4 Header Length

 

Default Configuration of Packet-Anomaly Protections

Anomaly

Description

Unrecognized L2 Format

(This anomaly is available only on x412 platforms. This anomaly cannot be sampled.)

Packets with more than two VLAN tags, L2 broadcast, or L2 multicast traffic.

ID: 100

Default Action: No Report

Default Report Action: Process

Default Risk: Low

Incorrect IPv4 Checksum

(This anomaly is available only on x412 platforms. This anomaly cannot be sampled.)

The IP packet header checksum does not match the packet header.

ID: 103

Default Action: Drop

Default Report Action: Process

Default Risk: Low

Invalid IPv4 Header or Total Length

The IP packet header length does not match the actual header length, or the IP packet total length does not match the actual packet length.

ID: 104

Default Action: Drop

Report Action: Bypass

Default Risk: Low

TTL Less Than or Equal to 1

The TTL field value is less than or equal to 1.

ID: 105

Default Action: Report

Default Report Action: Process

Default Risk: Low

Inconsistent IPv6 Headers

Inconsistent IPv6 headers.

ID: 107

Default Action: Drop

Report Action: Bypass—You cannot select Process for this packet-anomaly protection.

Default Risk: Low

IPv6 Hop Limit Reached

IPv6 hop limit is not greater than 1.

ID: 108

Default Action: Report

Default Report Action: Process

Default Risk: Low

Unsupported L4 Protocol

Traffic other than UDP, TCP, ICMP, or IGMP.

ID: 110

Default Action: No Report

Default Report Action: Process

Default Risk: Low

Invalid TCP Flags

The TCP flags combination is not according to the standard.

ID: 113

Default Action: Drop

Default Report Action: Process

Default Risk: Low

Source or Dest. Address same as Local Host

The IP packet source address or destination address is equal to the local host.

ID: 119

Default Action: Drop

Default Report Action: Process

Default Risk: Low

Source Address same as Dest Address (Land Attack)

The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack.

ID: 120

Default Action: Drop

Default Report Action: Process

Default Risk: Low

L4 Source or Dest. Port Zero

The Layer 4 source port or destination port equals zero.

ID: 125

Default Action: Drop

Default Report Action: Process

Default Risk: Low

Invalid L4 Header Length

The length of the Layer 4, TCP/UDP/SCTP header is invalid.

ID: 131

Default Action: Drop

Report Action: Bypass—You cannot select Process for this packet-anomaly protection.

Default Risk: Low