Bad Src – Dst |
Invalid Src-Dst Flows |
Invalid Src or Dst IP irrespective of whatever
be the enterprise perimeter, for example, Loopback IPs or IANA
Local IPs in either Src or Dst IP |
Non Unicast Source Flows |
Src IP is either Multicast or Broadcast or
Network IP i.e., not Unicast |
Excess Multicast Flows |
Multicast traffic exceeds threshold for any
given Src IP |
Excess Broadcast Flows |
Broadcast traffic exceeds threshold for any
given Src IP |
Excess Networkcast Flows |
Network IP destined traffic exceeds threshold
for any given Src IP |
Suspect Flows |
Malformed IP Packets |
Flows with BytePerPacket less than or equal to
the minimum 20 octets (bytes) |
Invalid ToS Flows |
Flows with invalid ToS values |
Malformed TCP Packets |
TCP Flows with BytePerPacket less than the
minimum 40 octets (bytes) |
Excess Empty TCP Packets |
TCP Flows without any payload ie.,
BytePerPacket exactly 40 octets (bytes) with TCP FLAGS value IN
(25–27, 29–31). All other TCP FLAGS values are
included in other TCP based events given below |
Excess Short TCP Handshake Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value IN (19/ASF, 22/ARS, 23/ARSF), denoting opened &
closed TCP Sessions, exceeds threshold |
TCP Null Violations |
TCP Flows with TCP Flags value equals 0/Null |
TCP Syn Violations |
TCP Flows with TCP Flags value equals 2/Syn |
TCP Syn_Fin Violations |
TCP Flows with TCP Flags value IN (3/SF,
7/RSF), denoting TCP Syn_Fin –or– Syn_Rst_Fin Flows,
but without Urg/Ack/Psh Flags. |
Excess Short TCP Syn_Ack Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value equals 18/SA exceeds threshold |
Excess Short TCP Syn_Rst Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value equals 6/RS, denoting TCP Syn_Rst Flows, but without
Urg/Ack/Psh Flags, exceeds threshold |
TCP Rst Violations |
TCP Flows with TCP Flags value equals 4/R |
Excess Short TCP Rst_Ack Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value IN (20/AR, 21/ARF), denoting TCP Rst_Ack Flows,
exceeds threshold |
TCP Fin Violations |
TCP Flows with TCP Flags value IN (1/F,
5/RF) |
Excess Short TCP Fin_Ack Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value equals 17/FA exceeds threshold |
Excess Short TCP Psh_Ack_No-Syn_Fin Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value IN (24/PA, 28/APR), denoting TCP Psh_Ack but without
Syn/Fin, exceeds threshold |
Excess Short TCP Psh_No-Ack Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value IN (8/P, 42/UPS, 43/UPSF, 44/UPR, 45/UPRF, 46/UPRS,
47/UPRSF), denoting TCP Psh but without Ack, exceeds threshold |
Excess Short TCP Ack Packets |
TCP Flows with nominal payload ie.,
BytePerPacket between 40 and 44 octets (bytes) and TCP Flags
value equals 16/A, denoting TCP Ack, exceeds threshold |
TCP Xmas Violations |
TCP Flows with TCP Flags value equals 41/UPF |
TCP Urg Violations |
TCP Flows with TCP Flags value IN (32-40, 42-63), denoting all combinations of Urg Flag except the
XMAS combination |
Malformed ICMP Packets |
ICMP Flows with BytePerPacket less than the
minimum 28 octets (bytes) |
Excess ICMP Requests |
ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information
Request, 4352/Address Mask Request) exceeds threshold |
Excess ICMP Responses |
ICMP Response Flows with Dst Port value IN (0/Echo Reply, 3584/Timestamp Reply, 4096/Information Reply,
4608/Address Mask Reply) exceeds threshold |
ICMP Network Unreachables |
ICMP Network Unreachable Flows with Dst Port
value IN (768/Network Unreachable, 774/Network Unknown,
777/Network Administratively Prohibited, 779/Network Unreachable
for TOS) |
ICMP Host Unreachables |
ICMP Host Unreachable Flows with Dst Port value IN (769/Host Unreachable, 773/Source Route Failed,
775/Host Unknown, 776/Source Host Isolated (obsolete), 778/Host
Administratively Prohibited, 780/Host Unreachable for TOS,
781/Communication administratively prohibited by filtering) |
ICMP Port Unreachables |
ICMP Port Unreachable Flows with Dst Port value
equals 771/Port Unreachable |
ICMP Unreachables for ToS |
ICMP ToS Unreachable Flows with Dst Port value IN (779/Network Unreachable for TOS, 780/Host Unreachable
for TOS) |
ICMP Redirects |
ICMP Redirect Flows with Dst Port value IN (1280/Redirect for Network, 1281/Redirect for Host, 1282/Redirect
for ToS and Network, 1283/Redirect for ToS and Host) |
ICMP Time Exceeded Flows |
ICMP Time Exceeded Flows with Dst Port IN (2816/Time-to-live equals 0 During Transit, 2817/Time-to-live
equals 0 During Reassembly). Indicates Traceroute attempt or
datagram fragment reassembly failure. |
ICMP Parameter Problem Flows |
ICMP Parameter Problem Flows with Dst Port IN (3072/IP Header Bad, 3073/Required Option Missing, 3074/Bad
Length). Generally indicates some local or remote implementation
error ie., invalid datagrams. |
ICMP Trace Route Flows |
ICMP Traceroute Flows with Dst Port equals
7680/Trace Route. Indicates traceroute attempt. |
ICMP Datagram Conversion Error Flows |
ICMP Datagram Conversion Error Flows with Dst
Port value equals 7936/Datagram Conversion Error ie., for valid
datagrams. |
Malformed UDP Packets |
UDP Flows with BytePerPacket less than the
minimum 28 octets (bytes) |
Excess Empty UDP Packets |
UDP Flows without any payload ie.,
BytePerPacket exactly 28 octets (bytes) |
Excess Short UDP Packets |
UDP Flows with nominal payload ie.,
BytePerPacket between 29 and 32 octets (bytes), exceeds threshold |
Excess UDP Echo Requests |
UDP Echo Request to Dst Port 7 (Echo) exceeds
threshold |
Excess UDP Echo Responses |
UDP Echo Response from Src Port 7 (Echo)
exceeds threshold |
DoS |
Land Attack Flows |
Flows with the same Src IP & Dst IP. Causes
the target machine to reply to itself continuously |
ICMP Request Broadcasts |
ICMP Request Flows with Dst Port value IN (2048/Echo Request, 3328/Timestamp Request, 3840/Information
Request, 4352/Address Mask Request) sent to a Broadcast/Multicast
IP. Indicates possible amplification attack on the Src IP. |
ICMP Protocol Unreachables |
ICMP Protocol Unreachable Flows with Dst Port
value equals (770/Protocol Unreachable). Can be used to perform a
denial of service on active TCP sessions, causing the TCP
connection to be dropped. |
ICMP Source Quench Flows |
ICMP Source Quench Flows with Dst Port value
equals (1024/Source Quench). Out dated. But can be used to
attempt a denial of service by limiting the bandwidth of a router
or host. |
Snork Attack Flows |
UDP Flows with Src Port IN (7, 19, 135)
and Dst Port IN (135). Indicates denial of service attack
against Windows NT RPC Service |
UDP Echo Request Broadcasts |
UDP Echo Request to Dst Port 7 (Echo) sent to a
Broadcast/Multicast IP. Indicates possible amplification attack
on the Src IP. |
UDP Echo-Chargen Broadcasts |
UDP Flows, from Src Port 7/Echo to Dst Port
19/Chargen, sent to a Broadcast/Multicast IP. Indicates possible
amplification attack on the Src IP. |
UDP Chargen-Echo Broadcasts |
UDP Flows, from Src Port 19/Chargen to Dst Port
7/Echo, sent to a Broadcast/Multicast IP. Indicates possible
amplification attack on the Src IP. |
Excess UDP Echo-Chargen Flows |
UDP Flows, from Src Port 7/Echo to Dst Port
19/Chargen, sent to any unicast IP exceeds threshold. Indicates
possible amplification attack on the Src IP. |
Excess UDP Chargen-Echo Flows |
UDP Flows, from Src Port 19/Chargen to Dst Port
7/Echo, sent to any unicast IP exceeds threshold. Indicates
possible amplification attack on the Src IP. |
)window.location='http://www.zohocorp.com.cn/manageengine/products/netflow/download.gif'){kind=link}