EZZ8655I TRMD ATTACK Interface flood end:date time,ifcname=ifcname,dipaddr=dipaddr,correlator=correlator,duration=duration,discardcnt=discardcnt, discardp=discardp,mfproto=mfproto,mfprotop=mfprotop,mfcat=mfcat,mfcatp=mfcatp,mfsrcmac=mfsrcmac, mfsrcmacp=mfsrcmacp, smmfproto=smmfproto,smmfprotop=smmfprotop,smmfcat=smmfcat, smmfcatp=smmfcatp,lastsip=lastsip,sipcnt=sipcnt,probeid=probeid,sensorhostname=sensorhostname Explanation The interface flood for the specified interface
has ended. The data covers the period from the start of the flood
and only includes packets received on the specified interface.
In
the message text: - date
- The date when the interface flood ended.
- time
- The time when the interface flood ended.
- ifcname
- The name of the interface experiencing the interface flood condition.
- dipaddr
- An IP address assigned to the interface at the start of the interface
flood.
- correlator
- The Intrusion Detection Services (IDS) trace correlator.
- duration
- The number of seconds since the start of the interface flood was
detected.
- discardcnt
- The number of packets received on the interface that were discarded
or not processed since the interface flood was detected.
- discardp
- The percentage of the total packets received on the interface
that were discarded since the interface flood was detected.
- mfproto
- The protocol seen most frequently in the IP header of the discarded
packets since the start of the interface flood. The protocol value
is the protocol number, or zero if the protocol value is unknown.
- mfprotop
- The percentage of times this protocol was seen in the packets
discarded for the interface during the interface flood condition.
- mfcat
- The category of discards seen most frequently since the start
of the interface flood. Possible values are:
- Storage
- Storage could not be obtained to process the packet. Storage
shortages can indicate a problem in the system other than an inbound
packet flood.
- CheckSum
- Packet had checksum error.
- Malform
- Malformed packet.
- Dest
- Destination not found. For example, the port is not active or
is reserved, the matching socket is not available, or there are no
listeners for the RAW protocol.
- Firewall
- Packet rejected by IP security.
- MedHdr
- Bad media header.
- Forward
- Packet is not for this TCP/IP stack but could not be forwarded.
For example, forwarding is prevented because the header is bad
or the IPCONFIG NODATAGRAMFWD option is specified.
- QOSPol
- Packet dropped due to QoS policy.
- IDSPol
- Packet dropped due to IDS policy.
- Access
- Packet dropped due to NetAccess, multilevel security, or OSM access
checks.
- ATTLS
- Packet dropped due to AT-TLS policy.
- OtherPol
- Packet dropped due to other configuration policy.
- Queue
- Queue limit (other than those specified by IDS) prevented queueing
the packet for processing. Possible queues include the syn queue,
the reassembly queue, and the UDP or RAW receive queues.
- OtherSyn
- Syn problems other than syn queue full.
- State
- State mismatch.
- UnpackErr
- Packet dropped due to unpacking problems.
- Misc
- Miscellaneous reasons not listed above. For example, the TCP packet
was outside of the TCP window, or duplicate fragments were found during
packet reassembly.
- mfcatp
- The percentage of times this category was seen in the packets
discarded for the interface during the interface flood condition.
- mfsrcmac
- Reported for LCS and some QDIO devices. It is not applicable for
other device types. For packets discarded since the interface flood
was detected, this is the source MAC seen most frequently in the discarded
packets. For device types that do not provide the source MAC address, N/A will
be in this field and the following fields that relate to the source
MAC will show zeros.
- mfsrcmacp
- The percentage of times this source MAC address was seen in the
packets discarded for the interface during the interface flood condition.
- smmfproto
- Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the protocol seen most frequently in the IP
header of the discarded packets for that source MAC address during
the interface flood condition. The protocol value is the protocol
number, or zero if the protocol value is unknown.
- smmfprotop
- Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the percentage of times the protocol reported
in smmfproto was seen in the packets discarded
for that source MAC address during the interface flood condition.
- smmfcat
- Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the category of discards seen most frequently
for that source MAC address during the interface flood condition.
See the mfcat field for the list of possible
categories.
- smmfcatp
- Provided if the most frequent source MAC address (mfsrcmac)
is available. This is the percentage of times the category reported
in smmfcat was seen in the packets discarded for
that source MAC address during the interface flood condition.
- lastsip
- The source IP address of the last packet discarded on this interface
during the interface flood condition.
- sipcnt
- The consecutive number of discarded packets for the interface
that have the same source IP address as the last discarded packet.
If the previously discarded packet's source IP address is not the
same as the last discarded packet's source IP address, the count
will be 1.
- probeid
- The unique identifier of the probe that indicated the interface
flood end. See z/OS Communications Server: IP and SNA Codes for a description of the Intrusion Detection
Services probe IDs.
- sensorhostname
- The fully qualified host name of the IDS sensor.
System action
Operator response
System programmer response The system programmer might want
to analyze the data provided in this message to determine the cause
of the interface flood condition. If the condition was not a
true interface flood, the system programmer should consider changing
the IDS ATTACK FLOOD policy actions to higher values to prevent
future false detections.
Module
Example EZZ8655I TRMD ATTACK Interface flood end:07/16/2010 20:19:43.52,ifcname=OSA123,dipaddr=9.67.120.3,
correlator=57,duration=25,discardcnt=102,discardp=29,mfproto=6,mfprotop=82,mfcat=Malform,mfcatp=82,
mfsrcmac=40000C750800,mfsrcmacp=82,smmfproto=6,smmfprotop=100,smmfcat=Malform,smmfcatp=100,
lastsip=9.67.120.73,sipcnt=57,probeid=04070014,sensorhostname=MVS123.tcp.company.com
Procedure name WriteLogEntries
|