SpeedStream Router User Guide
•TCP Xmas Flags:
The TCP Xmas flag configuration is an invalid combination of the FIN, URG and PUSH flags. This packet can cause some hosts to crash.
•Fragmented TCP Packet:
As discussed in the Invalid IP Packet Fragment description, packets may be fragmented in transit. While it is entirely valid to fragment a TCP packet, this is rarely done because of a process called “MTU discovery” that occurs when two hosts begin communicating. The rarity of TCP packet fragmentation makes its occurrence suspicious and could indicate a flawed network stack exploit attempt.
•Fragmented TCP Header:
This indicates that the TCP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
•Fragmented UDP Header:
This indicates that the IP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
•Fragmented ICMP Header:
This indicates that the ICMP header in the packet was split into multiple IP fragments. This never normally occurs and is most likely a flawed network stack exploit attempt.
•Inconsistent UDP/IP header lengths:
Also known as a “UDP bomb,” this indicates that a UDP length less than the IP length was received. This does not occur normally and is most likely a flawed network stack exploit attempt.
•Inconsistent IP header lengths:
This indicates that a length greater than the one indicated by the IP length in the header was received. This does not occur normally and is most likely a flawed network stack exploit attempt.
When logging is selected for a particular offending packet, the ADS will write an entry to the firewall log once a minute for as long as the attack persists. This allows one to tell that
a
Enable ADS
•On the main menu, click Setup, then click Firewall, and then click ADS.
The Attack Detection System Configuration window displays.
76
