Appendix ======== DNS Security vectors -------------------- The system tracks and rate limits all UDP DNS packets (excluding those whitelisted). TCP DNS packets are also tracked but only for the DNS requests that reach a virtual server that has a DNS profile associated with it. **NOTE: This information applies to 13.1.0.1.** For vectors where VLAN is , you can tune this value in tmsh: modify sys db dos.dnsvlan value, where value is 0-4094. +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | **DoS category** | **Attack name** | **Dos vector name** | **Information** | **Hardware accelerated** | +====================+===========================+=======================+=====================================================================================================================+============================+ | DNS | DNS A Query | dns-a-query | DNS Query, DNS Qtype is A\_QRY, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS AAAA Query | dns-aaaa-query | DNS Query, DNS Qtype is AAAA, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS Any Query | dns-any-query | DNS Query, DNS Qtype is ANY\_QRY, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS AXFR Query | dns-axfr-query | DNS Query, DNS Qtype is AXFR, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS CNAME Query | dns-cname-query | DNS Query, DNS Qtype is CNAME, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS IXFR Query | dns-ixfr-query | DNS Query, DNS Qtype is IXFR, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS Malformed | dns-malformed | Malformed DNS packet | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS MX Query | dns-mx-query | DNS Query, DNS Qtype is MX, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS NS Query | dns-ns-query | DNS Query, DNS Qtype is NS, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS OTHER Query | dns-other-query | DNS Query, DNS Qtype is OTHER, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS PTR Query | dns-ptr-query | DNS Query, DNS Qtype is PTR, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS Question Items != 1 | dns-qdcount-limit | DNS Query, DNS Qtype is ANY\_QRY, the DNS query has more than one question. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS Response Flood | dns-response-flood | UDP DNS Port=53, packet and DNS header flags bit 15 is 1 (response), VLAN is in tmsh using dos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS SOA Query | dns-soa-query | DNS Query, DNS Qtype is SOA\_QRY, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS SRV Query | dns-srv-query | DNS Query, DNS Qtype is SRV, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ | DNS | DNS TXT Query | dns-txt-query | DNS Query, DNS Qtype is TXT, VLAN is in tmsh usingdos.dnsvlan. | Yes | +--------------------+---------------------------+-----------------------+---------------------------------------------------------------------------------------------------------------------+----------------------------+ Network Security Vectors ------------------------ +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | **DoS category** | **Attack name** | **Dos vector name** | **Information** | **Hardware accelerated** | +=====================+========================================================+================================+================================================================================================================================================================================================================================================+============================+ | Flood | Ethernet Broadcast Packet | ether-brdcst-pkt | Ethernet broadcast packet flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | Ethernet Multicast Packet | ether-multicst-pkt | Ethernet destination is not broadcast, but is multicast | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | ARP Flood | arp-flood | ARP packet flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | IP Fragment Flood | ip-frag-flood | Fragmented packet flood with IPv4 | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | IGMP Flood | igmp-flood | Flood with IGMP packets (IPv4 packets with IP protocol number 2) | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | Routing Header Type 0 | routing-header-type-0 | Routing header type zero is present in flood packets | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | IPv6 Fragment Flood | ipv6-frag-flood | Fragmented packet flood with IPv6 | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | IGMP Fragment Flood | igmp-frag-flood | Fragmented packet flood with IGMP protocol | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP SYN Flood | tcp-syn-flood | TCP SYN flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP SYN ACK Flood | tcp-synack-flood | TCP SYN/ACK flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP RST Flood | tcp-rst-flood | TCP RST flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP Window Size | tcp-window-size | The TCP window size in packets is above the maximum. To tune this value, in tmsh: modify sys db dos.tcplowwindowsize value, where value is <=128. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | ICMPv4 Flood | icmpv4-flood | Flood with ICMP v4 packets | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | ICMPv6 Flood | icmpv6-flood | Flood with ICMP v6 packets | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | UDP Flood | udp-flood | UDP flood attack | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP SYN Oversize | tcp-syn-oversize | Detects TCP data SYN packets larger than the maximum specified by the dos.maxsynsize parameter. To tune this value, in tmsh: modify sys db dos.maxsynsize value. The default size is 64 and the maximum allowable value is 9216. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP Push Flood | tcp-push-flood | TCP push packet flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Flood | TCP BADACK Flood | tcp-ack-flood | TCP ACK packet flood | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - L2 | Ethernet MAC Source Address == Destination Address | ether-mac-sa-eq-da | Ethernet MAC source address equals the destination address | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Bad IP Version | bad-ver | The IPv4 address version in the IP header is not 4 | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Header Length Too Short | hdr-len-too-short | IPv4 header length is less than 20 bytes | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Header Length > L2 Length | hdr-len-gt-l2-len | No room in layer 2 packet for IP header (including options) for IPv4 address | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | L2 Length >> IP Length | l2-len-ggt-ip-len | Layer 2 packet length is much greater than the payload length in an IPv4 address header and the layer 2 length is greater than the minimum packet size | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | No L4 | no-l4 | No layer 4 payload for IPv4 address | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Bad IP TTL Value | bad-ttl-val | Time-to-live equals zero for an IPv4 address | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | TTL <= | ttl-leq-one | An IP packet with a destination that is not multicast and that has a TTL greater than 0 and less than or equal to a tunable value, which is 1 by default. To tune this value, in tmsh: modify sys db dos.iplowttli value, where value is 1-4. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | IP Error Checksum | ip-err-chksum | The header checksum is not correct | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | IP Option Frames | ip-opt-frames | IPv4 address packet with option.db variable tm.acceptipsourceroute must be enabled to receive IP options. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Bad Source | ip-bad-src | The IPv4 source IP = 255.255.255.255 or 0xe0000000U | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | IP Option Illegal Length | bad-ip-opt | Option present with illegal length | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv4 | Unknown Option Type | unk-ipopt-type | Unknown IP option type | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IGMP | Bad IGMP Frame | bad-igmp-frame | IPv4 IGMP packets should have a header >= 8 bytes. Bits 7:0 should be either 0x11, 0x12, 0x16, 0x22 or 0x17, or else the header is bad. Bits 15:8 should be non-zero only if bits 7:0 are 0x11, or else the header is bad. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IP Fragment Too Small | ip-short-frag | IPv4 short fragment error | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IPv6 Fragment Too Small | ipv6-short-frag | IPv6 short fragment error | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IPV6 Atomic Fragment | ipv6-atomic-frag | IPv6 Frag header present with M=0 and FragOffset =0 | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | ICMP Fragment | icmp-frag | ICMP fragment flood | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IP Fragment Error | ip-other-frag | Other IPv4 fragment error | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IPV6 Fragment Error | ipv6-other-frag | Other IPv6 fragment error | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IP Fragment Overlap | ip-overlap-frag | IPv4 overlapping fragment error | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Fragmentation | IPv6 Fragment Overlap | ipv6-overlap-frag | IPv6 overlapping fragment error | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | Bad IPV6 Version | bad-ipv6-ver | The IPv6 address version in the IP header is not 6 | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPV6 Length > L2 Length | ipv6-len-gt-l2-len | IPv6 address length is greater than the layer 2 length | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | Payload Length < L2 Length | payload-len-ls-l2-len | Specified IPv6 payload length is less than the L2 packet length | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | Too Many Extension Headers | too-many-ext-hdrs | For an IPv6 address, there are more than extended headers (the default is 4). To tune this value, in tmsh: modify sys db dos.maxipv6exthdrs value, where value is 0-15. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv6 duplicate extension headers | dup-ext-hdr | An extension header should occur only once in an IPv6 packet, except for the Destination Options extension header | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv6 extension header too large | ext-hdr-too-large | An extension header is too large. To tune this value, in tmsh: modify sys db dos.maxipv6extsize value, where value is 0-1024. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | No L4 (Extended Headers Go To Or Past End of Frame) | l4-ext-hdrs-go-end | Extended headers go to the end or past the end of the L4 frame | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | Bad IPV6 Hop Count | bad-ipv6-hop-cnt | Both the terminated (cnt=0) and forwarding packet (cnt=1) counts are bad | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv6 hop count <= | hop-cnt-leq-one | The IPv6 extended header hop count is less than or equal to . To tune this value, in tmsh: modify sys db dos.ipv6lowhopcnt value, where value is 1-4. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv6 Extended Header Frames | ipv6-ext-hdr-frames | IPv6 address contains extended header frames | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv6 extended headers wrong order | bad-ext-hdr-order | Extension headers in the IPv6 header are in the wrong order | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | Bad IPv6 Addr | ipv6-bad-src | IPv6 source IP = 0xff00\:\: | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - IPv6 | IPv4 Mapped IPv6 | ipv4-mapped-ipv6 | IPv4 address is in the lowest 32 bits of an IPv6 address. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | TCP Header Length Too Short (Length < 5) | tcp-hdr-len-too-short | The Data Offset value in the TCP header is less than five 32-bit words | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | TCP Header Length > L2 Length | tcp-hdr-len-gt-l2-len | | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | Unknown TCP Option Type | unk-tcp-opt-type | Unknown TCP option type | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | Option Present With Illegal Length | opt-present-with-illegal-len | Option present with illegal length | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | TCP Option Overruns TCP Header | tcp-opt-overruns-tcp-hdr | The TCP option bits overrun the TCP header | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | Bad TCP Checksum | bad-tcp-chksum | The TCP checksum does not match | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | Bad TCP Flags (All Flags Set) | bad-tcp-flags-all-set | Bad TCP flags (all flags set) | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | Bad TCP Flags (All Cleared) | bad-tcp-flags-all-clr | Bad TCP flags (all cleared and SEQ#=0) | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | SYN && FIN Set | syn-and-fin-set | Bad TCP flags (SYN and FIN set) | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | FIN Only Set | fin-only-set | Bad TCP flags (only FIN is set) | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - TCP | TCP Flags - Bad URG | tcp-bad-urg | Packet contains a bad URG flag, this is likely malicious | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - ICMP | Bad ICMP Checksum | bad-icmp-chksum | An ICMP frame checksum is bad. Reuse the TCP or UDP checksum bits in the packet | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - ICMP | Bad ICMP Frame | bad-icmp-frame | The ICMP frame is either the wrong size, or not of one of the valid IPv4 or IPv6 types. Valid IPv4 types: | Yes | | | | | | | | | | | - 0 Echo Reply | | | | | | | | | | | | - 3 Destination Unreachable | | | | | | | | | | | | - 4 Source Quench | | | | | | | | | | | | - 5 Redirect | | | | | | | | | | | | - 8 Echo | | | | | | | | | | | | - 11 Time Exceeded | | | | | | | | | | | | - 12 Parameter Problem | | | | | | | | | | | | - 13 Timestamp | | | | | | | | | | | | - 14 Timestamp Reply | | | | | | | | | | | | - 15 Information Request | | | | | | | | | | | | - 16 Information Reply | | | | | | | | | | | | - 17 Address Mask Request | | | | | | | | | | | | - 18 Address Mask Reply | | | | | | | | | | | | Valid IPv6 types: | | | | | | | | | | | | - 1 Destination Unreachable | | | | | | | | | | | | - 2 Packet Too Big | | | | | | | | | | | | - 3 Time Exceeded | | | | | | | | | | | | - 4 Parameter Problem | | | | | | | | | | | | - 128 Echo Request | | | | | | | | | | | | - 129 Echo Reply | | | | | | | | | | | | - 130 Membership Query | | | | | | | | | | | | - 131 Membership Report | | | | | | | | | | | | - 132 Membership Reduction | | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - ICMP | ICMP Frame Too Large | icmp-frame-too-large | The ICMP frame exceeds the declared IP data length or the maximum datagram length. To tune this value, in tmsh: modify sys db dos.maxicmpframesize value, where value is <=65515. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - UDP | Bad UDP Header (UDP Length > IP Length or L2 Length) | bad-udp-hdr | UDP length is greater than IP length or layer 2 length | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - UDP | Bad UDP Checksum | bad-udp-chksum | The UDP checksum is not correct | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | Host Unreachable | host-unreachable | Host unreachable error | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | TIDCMP | tidcmp | ICMP source quench attack | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | LAND Attack | land-attack | Source IP equals destination IP address | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | IP Unknown protocol | ip-unk-prot | Unknown IP protocol | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | TCP Half Open | tcp-half-open | The number of new or untrusted TCP connections that can be established. Overrides the Global SYN Check threshold in Configuration > Local Traffic > General. | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Other | IP uncommon proto | ip-uncommon-proto | Sets thresholds for and tracks packets containing IP protocols considered to be uncommon. By default, all IP protocols other than TCP, UDP, ICMP, IPV6-ICMP, and SCTP are on the IP uncommon protocol list. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header - DNS | DNS Oversize | dns-oversize | Detects oversized DNS headers. To tune this value, in tmsh: modify sys db dos.maxdnssize value, where value is 256-8192. | Yes | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Single Endpoint | Single Endpoint Sweep | sweep | Sweep on a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Single Endpoint | Single Endpoint Flood | flood | Flood to a single endpoint. You can configure packet types to check for, and packets per second for both detection and rate limiting. | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+ | Bad Header-SCTP | Bad SCTP Checksum | bad-sctp-checksum | Bad SCTP packet checksum | No | +---------------------+--------------------------------------------------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------+