Overview of IDS
The Intrusion Detection Services (IDS) on Communications Server for z/OS® is designed to protect systems from attacks as well as detect patterns of usage that might indicate impending attacks. Many attacks follow a sequence of information gathering, unauthorized access to resources (information, applications, storage), and denial of service. It can be difficult or, at times, impossible to determine the originator of denial of service attacks. However, correlating information-gathering activities with access violation may help identify an intruder before they succeed. The IDS support can be categorized into three areas:
- Scan detection
- Scans are recognized as the result of multiple information gathering events from a single source IP within a defined period of time. Scanning, itself, is not necessarily harmful and may be part of normal operation. However, many serious attacks, especially access violation attacks, are preceded by information gathering scans. IDS allows you to specify the traffic types which will be monitored for pre-attack scans. You may narrow the scope and reporting of scan events by specifying time conditions. In addition, you may include or exclude certain addresses and ports on a per-stack basis.
- Attack detection
- An attack is defined as an assault on system security that
derives from an intelligent threat. It is an intelligent act that
is a deliberate attempt to evade security services and violate the
security policy of a system. An attack may be in the form of a single
packet or multiple packets. IDS attack policy allows the network administrator
to provide network detection for one or more categories of attacks
independently of each other. In general, the types of actions that
can be specified for an attack policy are notifications (that is,
event logging, statistics gathering, packet tracing) and discarding
of the attack packets or resetting of a TCP connection.
- Data Hiding Attack - Using fields such as IP options to hide data.
- Flood Attack - A Denial of Service attack from a flood of invalid packets
- ICMP Redirect Attack - Using packets to modify a host's routing tables.
- IP Fragment Attack - Taking advantage of fragment overlays to attack the host.
- IPv4 Options Attack - Using obscure or unknown IPv4 Options to attack a host.
- IPv4 Outbound Raw Attack - Using the host to craft outbound IPv4 packets that can be used to attack another system.
- IPv4 Protocols Attack - Using obscure or unknown IPv4 Protocols to attack a host.
- IPv6 Destination Options Attack - Using IPv6 destination options in a suspicious way.
- IPv6 Hop-by-Hop Options Attack - Using IPv6 hop-by-hop options in a suspicious way.
- IPv6 Next Header Attack - Using obscure or unknown extension headers or protocols to attack a host.
- IPv6 Outbound Raw Attack - Using the host to craft outbound IPv6 packets that can be used to attack another system.
- Malformed Packet Attack - Using incorrect or partial header information to try to crash a host.
- Perpetual Echo Attack - Spoofing an application that always responds in such a way that two IP hosts will perpetually echo each other.
- TCP Queue Size Attack - Consuming system resources with TCP data queued to the send, receive, or out-of-order queues.
- Global TCP Stall Attack - Consuming system resources with TCP connections to be stalled or unable to send data.
- EE LDLC Check Attack - Consuming system resources such that SNA LUs are not able to to start sessions.
- EE Malformed Packet Attack - Using packets that have incorrect information in the IP and UDP headers.
- EE Port Check Attack - Using ports that are not defined by EE to attack a host.
- EE XID Flood Attack - Consuming all the available lines by flooding XIDs to drop EE connections.
- Traffic Regulation
- The IDS traffic regulation policies are used to limit memory
resource consumption and queue delay time during peak loads. Two types
of policies are supported, regulating TCP and UDP traffic.
- TCP Traffic - You may limit the total number of connections an application has active at one time. You may also limit the number of connections with any one source IP address, based on a fair share algorithm that applies the configured percentage to the number of remaining available connections.
- UDP Traffic - You may specify one of four abstract queue sizes for specified bound IP addresses and ports, based on packet sizes and total number of bytes on the queue of inbound packets.