The table below lists some of the important abbreviations with their fully expanded word/phrase used in this document
| Setting | Description |
|---|---|
| IP | Internet Protocol Address |
| Src | Source |
| Dst | Destination |
| P2P | Peer to Peer |
| ToS | Type of Service |
| DoS | Denial of Service |
| TCP: U-A-P-R-S-F | TCP: Urg – Ack – Psh – Rst – Syn – Fin |
The table below lists the set of classes used for classifying problems with a brief description
| Class Name | Description |
|---|---|
| Bad Src – Dst | Either the Src IP or the Dst IP of the flow is suspicious |
| Suspect Flows | Some attribute(s) other than Src IP and Dst IP of the flow is suspicious |
| DoS | Denial of Service Attack |
The table below lists the set of problems detected, their classification followed by a brief description
|
Problem Name |
Description |
|---|---|
|
Invalid Src-Dst Flows |
Invalid Src or Dst IP irrespective of whatever be the enterprise perimeter, for example, Loopback IPs or IANA Local IPs in either Src or Dst IP |
|
Non Unicast Source Flows |
Src IP is either Multicast or Broadcast or Network IP i.e., not Unicast |
|
Excess Multicast Flows |
Multicast traffic exceeds threshold for any given Src IP |
|
Excess Broadcast Flows |
Broadcast traffic exceeds threshold for any given Src IP |
|
Excess Networkcast Flows |
Network IP destined traffic exceeds threshold for any given Src IP |
|
Malformed IP Packets |
Flows with BytePerPacket less than or equal to the minimum 20 octets (bytes) |
|
Invalid ToS Flows |
Flows with invalid ToS values |
|
Malformed TCP Packets |
TCP Flows with BytePerPacket less than the minimum 40 octets (bytes) |
|
Excess Empty TCP Packets |
TCP Flows without any payload ie., BytePerPacket exactly 40 octets (bytes) with TCP FLAGS value IN (25–27, 29–31). All other TCP FLAGS values are included in other TCP based events given below |
|
Excess Short TCP Handshake Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (19/ASF, 22/ARS, 23/ARSF), denoting opened & closed TCP Sessions, exceeds threshold |
|
TCP Null Violations |
TCP Flows with TCP Flags value equals 0/Null |
|
TCP Syn Violations |
TCP Flows with TCP Flags value equals 2/Syn |
|
TCP Syn_Fin Violations |
TCP Flows with TCP Flags value IN (3/SF, 7/RSF), denoting TCP Syn_Fin –or– Syn_Rst_Fin Flows, but without Urg/Ack/Psh Flags. |
|
Excess Short TCP Syn_Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 18/SA exceeds threshold |
|
Excess Short TCP Syn_Rst Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 6/RS, denoting TCP Syn_Rst Flows, but without Urg/Ack/Psh Flags, exceeds threshold |
|
TCP Rst Violations |
TCP Flows with TCP Flags value equals 4/R |
|
Excess Short TCP Rst_Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (20/AR, 21/ARF), denoting TCP Rst_Ack Flows, exceeds threshold |
|
TCP Fin Violations |
TCP Flows with TCP Flags value IN (1/F, 5/RF) |
|
Excess Short TCP Fin_Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 17/FA exceeds threshold |
|
Excess Short TCP Psh_Ack_No-Syn_Fin Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (24/PA, 28/APR), denoting TCP Psh_Ack but without Syn/Fin, exceeds threshold |
|
Excess Short TCP Psh_No-Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value IN (8/P, 42/UPS, 43/UPSF, 44/UPR, 45/UPRF, 46/UPRS, 47/UPRSF), denoting TCP Psh but without Ack, exceeds threshold |
|
Excess Short TCP Ack Packets |
TCP Flows with nominal payload ie., BytePerPacket between 40 and 44 octets (bytes) and TCP Flags value equals 16/A, denoting TCP Ack, exceeds threshold |
|
TCP Xmas Violations |
TCP Flows with TCP Flags value equals 41/UPF |
|
TCP Urg Violations |
TCP Flows with TCP Flags value IN (32-40, 42-63), denoting all combinations of Urg Flag except the XMAS combination |
|
Malformed ICMP Packets |
ICMP Flows with BytePerPacket less than the minimum 28 octets (bytes) |
|
Excess ICMP Requests |
ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) exceeds threshold |
|
Excess ICMP Responses |
ICMP Response Flows with Dst Port value IN (0/Echo Reply, 3584/Timestamp Reply, 4096/Information Reply, 4608/Address Mask Reply) exceeds threshold |
|
ICMP Network Unreachables |
ICMP Network Unreachable Flows with Dst Port value IN (768/Network Unreachable, 774/Network Unknown, 777/Network Administratively Prohibited, 779/Network Unreachable for TOS) |
|
ICMP Host Unreachables |
ICMP Host Unreachable Flows with Dst Port value IN (769/Host Unreachable, 773/Source Route Failed, 775/Host Unknown, 776/Source Host Isolated (obsolete), 778/Host Administratively Prohibited, 780/Host Unreachable for TOS, 781/Communication administratively prohibited by filtering) |
|
ICMP Port Unreachables |
ICMP Port Unreachable Flows with Dst Port value equals 771/Port Unreachable |
|
ICMP Unreachables for ToS |
ICMP ToS Unreachable Flows with Dst Port value IN (779/Network Unreachable for TOS, 780/Host Unreachable for TOS) |
|
ICMP Redirects |
ICMP Redirect Flows with Dst Port value IN (1280/Redirect for Network, 1281/Redirect for Host, 1282/Redirect for ToS and Network, 1283/Redirect for ToS and Host) |
|
ICMP Time Exceeded Flows |
ICMP Time Exceeded Flows with Dst Port IN (2816/Time-to-live equals 0 During Transit, 2817/Time-to-live equals 0 During Reassembly). Indicates Traceroute attempt or datagram fragment reassembly failure. |
|
ICMP Parameter Problem Flows |
ICMP Parameter Problem Flows with Dst Port IN (3072/IP Header Bad, 3073/Required Option Missing, 3074/Bad Length). Generally indicates some local or remote implementation error ie., invalid datagrams. |
|
ICMP Trace Route Flows |
ICMP Traceroute Flows with Dst Port equals 7680/Trace Route. Indicates traceroute attempt. |
|
ICMP Datagram Conversion Error Flows |
ICMP Datagram Conversion Error Flows with Dst Port value equals 7936/Datagram Conversion Error ie., for valid datagrams. |
|
Malformed UDP Packets |
UDP Flows with BytePerPacket less than the minimum 28 octets (bytes) |
|
Excess Empty UDP Packets |
UDP Flows without any payload ie., BytePerPacket exactly 28 octets (bytes) |
|
Excess Short UDP Packets |
UDP Flows with nominal payload ie., BytePerPacket between 29 and 32 octets (bytes), exceeds threshold |
|
Excess UDP Echo Requests |
UDP Echo Request to Dst Port 7 (Echo) exceeds threshold |
|
Excess UDP Echo Responses |
UDP Echo Response from Src Port 7 (Echo) exceeds threshold |
|
Land Attack Flows |
Flows with the same Src IP & Dst IP. Causes the target machine to reply to itself continuously |
|
ICMP Request Broadcasts |
ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information Request, 4352/Address Mask Request) sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP. |
|
ICMP Protocol Unreachables |
ICMP Protocol Unreachable Flows with Dst Port value equals (770/Protocol Unreachable). Can be used to perform a denial of service on active TCP sessions, causing the TCP connection to be dropped. |
|
ICMP Source Quench Flows |
ICMP Source Quench Flows with Dst Port value equals (1024/Source Quench). Out dated. But can be used to attempt a denial of service by limiting the bandwidth of a router or host. |
|
Snork Attack Flows |
UDP Flows with Src Port IN (7, 19, 135) and Dst Port IN (135). Indicates denial of service attack against Windows NT RPC Service |
|
UDP Echo Request Broadcasts |
UDP Echo Request to Dst Port 7 (Echo) sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP. |
|
UDP Echo-Chargen Broadcasts |
UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP. |
|
UDP Chargen-Echo Broadcasts |
UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to a Broadcast/Multicast IP. Indicates possible amplification attack on the Src IP. |
|
Excess UDP Echo-Chargen Flows |
UDP Flows, from Src Port 7/Echo to Dst Port 19/Chargen, sent to any unicast IP exceeds threshold. Indicates possible amplification attack on the Src IP. |
|
Excess UDP Chargen-Echo Flows |
UDP Flows, from Src Port 19/Chargen to Dst Port 7/Echo, sent to any unicast IP exceeds threshold. Indicates possible amplification attack on the Src IP. |