ARP Flood |
ARP packet flood |
Yes |
Bad ICMP Checksum |
An ICMP frame checksum is bad. Reuse the TCP or UDP
checksum bits in the packet. |
Yes |
Bad ICMP Frame |
The ICMP frame is either the wrong size or not one of
the valid IPv4 or IPv6 types. |
Yes |
Bad IGMP Frame |
IPv4 IGMP packets should have a header >= 8 bytes.
Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad.
Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. |
Yes |
Bad IP TTL Value |
Time-to-live equals zero for an IPv4 address. |
Yes |
Bad IP Version |
The IPv4 address version in the IP header is not
4. |
Yes |
Bad IPv6 Addr |
IPv6 source IP = 0xff00::
|
Yes |
Bad IPV6 Hop Count |
Both the terminated (cnt=0) and forwarding packet
(cnt=1) counts are bad. |
Yes |
Bad IPV6 Version |
The IPv6 address version in the IP header is not
6. |
Yes |
Bad SCTP Checksum |
Bad SCTP packet checksum. |
No |
Bad Source |
The IPv4 source IP = 255.255.255.255 or
0xe0000000U. |
Yes |
Bad TCP Checksum |
The TCP checksum does not match. |
Yes |
Bad TCP Flags (All Cleared) |
Bad TCP flags (all cleared and SEQ#=0). |
Yes |
Bad TCP Flags (All Flags Set) |
Bad TCP flags (all flags set). |
Yes |
Bad UDP Checksum |
The UDP checksum is not correct. |
Yes |
Bad UDP Header (UDP Length > IP Length or L2
Length) |
UDP length is greater than IP length or Layer 2
length. |
Yes |
Ethernet Broadcast Packet |
Ethernet broadcast packet flood |
Yes |
Ethernet MAC Source Address == Destination
Address |
Ethernet MAC source address equals the destination
address. |
Yes |
Ethernet Multicast Packet |
Ethernet multicast packet flood |
Yes |
FIN Only Set |
Bad TCP flags (only FIN is set). |
Yes |
Header Length > L2 Length |
No room in Layer 2 packet for IP header (including
options) for IPv4 address |
Yes |
Header Length Too Short |
IPv4 header length is less than 20 bytes. |
Yes |
Host Unreachable |
Host unreachable error |
Yes |
ICMP Fragment |
ICMP fragment flood |
Yes |
ICMP Frame Too Large |
The ICMP frame exceeds the declared IP data length or
the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value
, where value is <=65515. |
Yes |
ICMPv4 Flood |
Flood with ICMPv4 packets |
Yes |
ICMPv6 Flood |
Flood with ICMPv6 packets |
Yes |
IGMP Flood |
Flood with IGMP packets (IPv4 packets with IP protocol
number 2) |
Yes |
IGMP Fragment Flood |
Fragmented packet flood with IGMP protocol |
Yes |
IP Error Checksum |
The header checksum is not correct. |
Yes |
IP Fragment Error |
Other IPv4 fragment error |
Yes |
IP Fragment Flood |
Fragmented packet flood with IPv4 |
Yes |
IP Fragment Overlap |
IPv4 overlapping fragment error |
No |
IP Fragment Too Small |
IPv4 short fragment error |
Yes |
IP Length > L2 Length |
The total length in the IPv4 address header or payload
length in the IPv6 address header is greater than the Layer 3 length in a Layer 2
packet. |
Yes |
IP Option Frames |
IPv4 address packets that are part of an IP option frame
flood. On the command line, option.db variable tm.acceptipsourceroute must be enabled to
receive IP options. |
Yes |
IP Option Illegal Length |
Option present with illegal length. |
No |
IP uncommon proto |
Sets thresholds for and tracks packets containing IP
protocols considered to be uncommon. By default, all IP protocols other than TCP,
UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. |
Yes |
IP Unknown protocol |
Unknown IP protocol |
No |
IPv4 mapped IPv6 |
The IPv6 stack is receiving IPv4 address
packets. |
Yes |
IPV6 Atomic Fragment |
IPv6 Frag header present with M=0 and FragOffset
=0. |
Yes |
IPv6 duplicate extension headers |
An extension header should occur only once in an IPv6
packet, except for the Destination Options extension header. |
Yes |
IPv6 Extended Header Frames |
IPv6 address contains extended header frames. |
Yes |
IPv6 extended headers wrong order |
Extension headers in the IPv6 header are in the wrong
order. |
Yes |
IPv6 extension header too large |
An extension header is too large. To tune this value, in
tmsh: modify sys db dos.maxipv6extsize value
, where value is 0-1024. |
Yes |
IPv6 Fragment Error |
Other IPv6 fragment error |
Yes |
IPv6 Fragment Flood |
Fragmented packet flood with IPv6 |
Yes |
IPv6 Fragment Overlap |
IPv6 overlapping fragment error |
No |
IPv6 Fragment Too Small |
IPv6 short fragment error |
Yes |
IPv6 hop count <= <tunable> |
The IPv6 extended header hop count is less than or equal
to <tunable>. To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value
, where value is 1-4. |
Yes |
IPv6 Length > L2 Length |
IPv6 address length is greater than the Layer 2
length. |
Yes |
L2 Length >> IP Length |
Layer 2 packet length is much greater than the payload
length in an IPv4 address header, and the Layer 2 length is greater than the minimum
packet size. |
Yes |
LAND Attack |
Source IP equals destination IP address |
Yes |
No L4 |
No Layer 4 payload for IPv4 address. |
Yes |
No L4 (Extended Headers Go To Or Past End of
Frame) |
Extended headers go to the end or past the end of the L4
frame. |
Yes |
No Listener Match |
This can occur if the listener is down as it attempts to
make a connection, or if it was not started or was configured improperly. It may
also be caused by a network connectivity problem. |
|
Non TCP Connection |
Sets a connection rate limit for non-TCP flows that
takes into account all other connections per second. |
|
Option Present With Illegal Length |
Packets contain an option with an illegal
length. |
Yes |
Payload Length < L2 Length |
Specified IPv6 payload length is less than the L2 packet
length. |
Yes |
Routing Header Type 0 |
Identifies flood packets containing type 0 routing
headers, which can be used to amplify traffic to initiate a DoS attack. |
Yes |
Single Endpoint Flood |
Flood to a single endpoint and can come from many
sources. You can configure packet types to check for, and packets per second for
both detection and rate limiting. |
No |
Single Endpoint Sweep |
Sweep on a single endpoint. You can configure packet
types to check for, and packets per second for both detection and rate
limiting. |
No |
SYN && FIN Set |
Bad TCP flags (SYN and FIN set). |
Yes |
TCP BADACK Flood |
TCP ACK packet flood |
No |
TCP Flags - Bad URG |
Packet contains a bad URG flag; this is likely
malicious. |
Yes |
TCP Half Open |
TCP connection whose state is out of synchronization
between the two communicating hosts |
Yes |
TCP Header Length > L2 Length |
The TCP header length exceeds the Layer 2
length. |
Yes |
TCP Header Length Too Short (Length < 5) |
The Data Offset value in the TCP header is less than
five 32-bit words. |
Yes |
TCP Option Overruns TCP Header |
The TCP option bits overrun the TCP header. |
Yes |
TCP PUSH Flood |
TCP PUSH flood |
Yes |
TCP RST Flood |
TCP RST flood |
Yes |
TCP SYN ACK Flood |
TCP SYN/ACK flood |
Yes |
TCP SYN Flood |
TCP SYN flood |
Yes |
TCP SYN Oversize |
Detects TCP data SYN packets larger than the maximum
specified by the dos.maxsynsize parameter. To tune this value in tmsh:
modify sys db dos.maxsynsize value. The default size in
bytes is 64 and the
maximum allowable value is 9216. |
Yes |
TCP Window Size |
The TCP window size in packets is above the maximum
size. To tune this value in tmsh: modify sys db dos.tcplowwindowsize
value where value is <=
128. |
Yes |
TIDCMP |
ICMP source quench attack |
Yes |
Too Many Extension Headers |
For an IPv6 address, there are too many extended headers
(the default is 4). To tune this value in tmsh: modify sys db dos.maxipv6exthdrs value
, where value is 0-15. |
Yes |
TTL <= <tunable> |
An IP packet with a destination that is not multicast
and that has a TTL greater than 0 and less than or equal to a tunable value, which
is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttl value
, where value is 1-4. |
Yes |
UDP Flood |
UDP flood attack |
Yes |
Unknown Option Type |
Unknown IP option type. |
No |
Unknown TCP Option Type |
Unknown TCP option type. |
Yes |