The stateful firewall recognizes the following
events as anomalies and sends them to the IDS software for processing:
IP anomalies:
IP version is not correct.
IP header length field is too small.
IP header length is set larger than the entire packet.
Bad header checksum.
IP total length field is shorter than header length.
Packet has incorrect IP options.
Internet Control Message Protocol (ICMP) packet length
error.
Time-to-live (TTL) equals 0.
IP address anomalies:
IP packet source is a broadcast or multicast.
Land attack (source IP equals destination IP).
IP fragmentation anomalies:
IP fragment overlap.
IP fragment missed.
IP fragment length error.
IP packet length is more than 64 kilobytes (KB).
Tiny fragment attack.
TCP anomalies:
TCP port 0.
TCP sequence number 0 and flags 0.
TCP sequence number 0 and FIN/PSH/RST flags set.
TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST).
Bad TCP checksum.
UDP anomalies:
UDP source or destination port 0.
UDP header length check failed.
Bad UDP checksum.
Anomalies found through stateful TCP or UDP checks:
SYN followed by SYN-ACK packets without ACK from initiator.
SYN followed by RST packets.
SYN without SYN-ACK.
Non-SYN first flow packet.
ICMP unreachable errors for SYN packets.
ICMP unreachable errors for UDP packets.
Packets dropped according to stateful firewall rules.
If you employ stateful anomaly detection in conjunction
with stateless detection, IDS can provide early warning for a wide
range of attacks, including these:
TCP or UDP network probes and port scanning
SYN flood attacks
IP fragmentation-based attacks such as teardrop, bonk,
and boink
