Stateful Firewall Anomaly Checking

The stateful firewall recognizes the following events as anomalies and sends them to the IDS software for processing:

• IP anomalies:
  • IP version is not correct.
  • IP header length field is too small.
  • IP header length is set larger than the entire packet.
  • Bad header checksum.
  • IP total length field is shorter than header length.
  • Packet has incorrect IP options.
  • Internet Control Message Protocol (ICMP) packet length error.
  • Time-to-live (TTL) equals 0.
• IP address anomalies:
  • IP packet source is a broadcast or multicast.
  • Land attack (source IP equals destination IP).
• IP fragmentation anomalies:
  • IP fragment overlap.
  • IP fragment missed.
  • IP fragment length error.
  • IP packet length is more than 64 kilobytes (KB).
  • Tiny fragment attack.
• TCP anomalies:
  • TCP port 0.
  • TCP sequence number 0 and flags 0.
  • TCP sequence number 0 and FIN/PSH/RST flags set.
  • TCP flags with wrong combination (TCP FIN/RST or SYN/(URG|FIN|RST).
  • Bad TCP checksum.
• UDP anomalies:
  • UDP source or destination port 0.
  • UDP header length check failed.
  • Bad UDP checksum.
• Anomalies found through stateful TCP or UDP checks:
  • SYN followed by SYN-ACK packets without ACK from initiator.
  • SYN followed by RST packets.
  • SYN without SYN-ACK.
  • Non-SYN first flow packet.
  • ICMP unreachable errors for SYN packets.
  • ICMP unreachable errors for UDP packets.
• Packets dropped according to stateful firewall rules.

If you employ stateful anomaly detection in conjunction with stateless detection, IDS can provide early warning for a wide range of attacks, including these:

• TCP or UDP network probes and port scanning
• SYN flood attacks
• IP fragmentation-based attacks such as teardrop, bonk, and boink