Attack events

Attack policies monitor for various types of attacks against the system. Your system can be attacked or used as the source of an attack. When IDS detects an attack, it writes an intrusion event to the audit record.

For example, an intruder might attempt to cause a system to crash or hang, tie up system resources and deny services, slip through a firewall, or gain back-door entry to a system. The intrusion detection system detects the following types of attack events:

Address poisoning

A hacking technique that redirects data to a different system (for snooping packets) or to nonexistent addresses. Address poisoning also is called Address Resolution Protocol (ARP) spoofing in IPv4 and Neighbor Discovery spoofing in IPv6. IDS is notified whenever the ARP cache or Neighbor Discovery cache changes.

Fraggle attack

A type of denial-of-service attack in which User Datagram Protocol (UDP) echo requests are sent to a broadcast or multicast address, with the source address spoofed as the victim's address. The target port of a fraggle attack is echo port 7. The attacker's purpose is to overload a system with a high volume of traffic, as each host on the network replies to each broadcast or multicast packet that the attacker sends. Spoofing the source address makes the receiver of the multiple responses the victim of the denial-of-service (DoS) attack. (A denial-of-service attack is an assault on a network that brings down one or more hosts on a network such that the host is unable to perform its functions properly.)

IDS is notified when a UDP echo request is received to determine if the destination address is an IP broadcast or multicast address. If the destination address is a broadcast or multicast address, IDS signals the attack.

ICMP redirect message

An out-of-band message that is designed to inform a host of a more optimal route through a network, but possibly used maliciously for attacks that redirect traffic to a specific system. In this type of an attack, the hacker, posing as a router, sends an Internet Control Message Protocol (ICMP) redirect message to a host, which indicates that all future traffic must be directed to a specific system as the more optimal route for the destination. You can set up IDS to notify you when these ICMP redirect messages occur or to ignore them.

IP fragment

An Internet Protocol (IP) datagram that contains only a portion of the user data from a larger IP datagram. In an attack, the IP fragment might be less than 576 bytes in length, or have an offset of less than 256 bytes. When the IP fragments are too small, the intent might be a malicious attempt to slip through a firewall, but it could just be a normal case of packet retransmission. IDS detects IP fragments that are suspicious.

Malformed packet

A packet that does not conform to TCP/IP standards for size, destination, or flags in the TCP header. The intent might be to crash or to hang a system. IDS also checks for restricted IP protocols and options in a malformed packet attack. The TCP/IP stack notifies IDS of these malformed packets and usually discards them.

Outbound raw attack

An outbound packet that uses a nonstandard protocol. Outbound packets are a type of extrusion. Outbound restricted IP protocols are covered under outbound raw attacks. Standard protocols include TCP, UDP, ICMP, ICMPv6, Internet Group Management Protocol (IGMP), or Open Shortest Path First (OSPF).

Perpetual echo

A denial-of-service attack on the UDP echo port 7. If the source port and target port are set to port 7, the request is echoed back and forth. An attacker sends a UDP echo request to an IP broadcast or multicast address and provides a spoofed source address for all the targets to echo back responses. The spoofed source address, which is not the hacker's address, becomes the victim of a potentially large amount of network traffic. A perpetual echo can be an intrusion or extrusion.


An attack that involves sending a ping packet that is larger than the maximum IP packet size of 65 536 bytes, which can overload a system.

Restricted IP option

An IP option, such as Loose Source and Record Route (LSRR), that is used to map a network's topology and discover private IP addresses. A hacker might try to use restricted IP options to get through firewalls. You can use the IDS policy to restrict which IP options an inbound or outbound packet can contain. A restricted IP option can be an intrusion or extrusion.

Restricted IP protocol

An unrecognized protocol that can be used to establish an attack on a network. An IP protocol other than ICMPv6, ICMP, IGMP, TCP, or UDP is an unrecognized protocol. A hacker might program directly to a raw socket without going through the TCP/IP programming interface. IDS is notified of the potential intrusion by classifying it as a restricted protocol attack. If there is no corresponding IDS policy for restricted protocols, the notification goes unrecorded. Non-mainstream outbound protocols are covered under outbound raw attacks.

Open Shortest Path First (OSPF) is an interior gateway protocol that is used to send information to routers regarding the shortest path to each node in a network. Unlike the other well-known protocols that IDS is not notified about, IDS is notified about inbound packets that contain the OSPF protocol with a restricted protocol attack. If networks in the system are using OSPF, consider excluding OSPF from the range of protocols to restrict. OSPF might display in the audit journal rather frequently if it is included in the restricted protocol range in the policy. If you receive an intrusion notification about the OSPF protocol, review the information to determine whether the system is using OSPF for legitimate purposes.


A denial-of-service attack in which a spoofed source address is flooded with echo replies. The replies are caused when many ping (ICMP echo) requests using the spoofed source address are sent to one or more broadcast or multicast addresses.

SYN floods

A type of denial-of-service attack in which an attacker sends a large number of TCP connection requests to a target computer, without answering the target computer's acknowledgment requests. The target computer becomes overloaded and denies service to legitimate users.

TCP ACK storm

A denial-of-service attack on a server where a hacker or cracker secretly inserts data into a client/server session in an attempt to disrupt the session. If the hacker uses the correct sequence number on the inserted data, the server sends the client an ACK packet containing a sequence number that it is not expecting. The real client then tries to resynchronize with the server by sending an ACK packet with the sequence number that it is expecting. This ACK packet contains a sequence number that the server is not expecting. The server then sends the last ACK packet that it sent, and so on. The resulting acknowledgements (ACKs) bounce back and forth and a TCP ACK storm ensues after the hacker has hijacked multiple client/server sessions.