The intrusion detection module allows administrators to detect and reject malformed traffic designed to impact the security and performance of the computers to protect. This traffic type may cause malfunction of user programs, and lead to serious security issues, allowing remote execution of user applications by hackers, data theft, etc.
Adaptive Defense 360 provides protection against 15 types of generic patterns. This protection can be enabled and disabled by selecting and clearing the relevant checkboxes. Next is a description of the types of malformed traffic supported and the protection provided:
IP explicit path: Rejects IP packets with an explicit source route field. These are IP packets that are not routed based on their target IP address, but the routing information is defined beforehand.
Land Attack: Stops denial-of-service attacks by TCP/IP stack loops by detecting packets with identical source and destination addresses.
SYN flood: This attack launches TCP connection attempts massively to force the targeted computers to commit resources for each connection. The protection establishes a maximum number of open TCP connections to prevent the computer under attack from becoming saturated.
TCP Port Scan: Detects if a host tries to connect to several ports in a specific time period. It blocks the attack preventing replies to the suspicious host. In addition, it filters the replies so the sender doesn't even get closed port replies.
TCP Flags Check: Detects TCP packets with invalid flag combinations. It acts as a complement to the protection against port scanning by blocking attacks of that type such as "SYN&FIN" and "NULL FLAGS". It also complements the protection against OS fingerprinting attacks as many of these are based on replies to invalid TCP packets.
Header Lengths
IP: Rejects inbound packets with an IP header length that exceeds a specific limit.
TCP: Rejects inbound packets with a TCP header length that exceeds a specific limit.
Fragmentation control: Checks the status of the packet fragments to be reassembled at the destination, protecting the system against memory overflow attacks due to missing fragments, ICMP redirects masked as UDP and computer scanning.
UDP Flood: Rejects UDP streams to a specific port if the number of UDP packets exceeds a preconfigured threshold in a particular period.
UDP Port Scan: Protects the system against UDP port scanning attacks.
Smart WINS: Rejects WINS replies that do not correspond to requests sent by the computer.
Smart DNS: Rejects DNS replies that do not correspond to requests sent by the computer.
Smart DHCP: Rejects DHCP replies that do not correspond to requests sent by the computer.
ICMP Attack: This filter performs various checks:
SmallPMTU: By inspecting ICMP packets, the protection detects invalid MTU values used to generate a denial of service attack or slow down outbound traffic.
SMURF: The attack involves sending large amounts of ICMP (echo request) traffic to the network broadcast address with a source address spoofed to the victim's address. Most computers on the network will reply to the victim, multiplying traffic flows. The protection rejects unsolicited ICMP replies if they exceed a certain threshold in a specific time period.
Drop unsolicited ICMP replies: Rejects all unsolicited ICMP replies and ICMP replies that have expired due to timeout.
ICMP Filter echo request: Rejects Echo requests.
Smart ARP: Rejects ARP replies that do not correspond to requests sent by the protected computer to avoid ARP cache poisoning scenarios.
OS Detection: Falsifies data in replies to the sender to trick operating system detectors. It prevents attacks aimed at taking advantage of vulnerabilities associated with the operating system detected. This protection complements the TCP Flag Checker.
Related topics