Stateful Firewall Anomaly Checking

The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing:

• IP anomalies:

• IP version is not correct.
• IP header length field is too small.
• IP header length is set larger than the entire packet.
• Bad header checksum.
• IP total length field is shorter than header length.
• Packet has incorrect IP options.
• Internet Control Message Protocol (ICMP) packet length error.
• Time-to-live (TTL) equals 0.

• IP address anomalies:

• IP packet source is a broadcast or multicast.
• Land attack (source IP equals destination IP).

• IP fragmentation anomalies:

• IP fragment overlap.
• IP fragment missed.
• IP fragment length error.
• IP packet length is more than 64 kilobytes (KB).
• Tiny fragment attack.

• TCP anomalies:

• TCP port 0.
• TCP sequence number 0 and flags 0.
• TCP sequence number 0 and FIN/PSH/RST flags set.
• TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST).
• Bad TCP checksum.

• UDP anomalies:

• UDP source or destination port 0.
• UDP header length check failed.
• Bad UDP checksum.

• Anomalies found through stateful TCP or UDP checks:

• SYN followed by SYN-ACK packets without ACK from initiator.
• SYN followed by RST packets.
• SYN without SYN-ACK.
• Non-SYN first flow packet.
• ICMP unreachable errors for SYN packets.
• ICMP unreachable errors for UDP packets.

• Packets dropped according to stateful firewall rules.

If you employ stateful anomaly detection in conjunction with stateless detection, IDS can provide early warning for a wide range of attacks, including these:

• TCP or UDP network probes and port scanning
• SYN flood attacks
• IP fragmentation-based attacks such as teardrop, bonk, and boink