Attack summary (-A) report

This report is displayed when the -A option is specified with the trmdstat command. It displays the summary of all attack events. The information presented in this report is derived from EZZ8648I and EZZ8649I types of syslog messages. Information is grouped by destination IP address - source IP address pair. It is sorted by destination IP address and then by destination port.

>trmdstat -A /tmp/tstlog.log
trmdstat for z/OS CS V2R1  Fri Nov 25 09:12:26 2011

Command Entered     : trmdstat -A /tmp/tstlog.log
Log Time Interval   : Nov 12 04:36:51  - Nov 29 19:55:50
Stack Time Interval : Nov 12 04:36:47  - Nov 29 19:55:46
TRM Records Scanned : 227

                            ATTACK Summary

                            Packets Discarded

Destination IP Address: 192.168.105.53
Source IP Address:      192.168.105.50

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
11000          0          0          0          0          0          0          0          1          0
               0          0          0          0          0          0          0
12000          0          0          0          0          0          0          0          2          0
               0          0          0          0          0          0          1

                            Packets Discarded

Destination IP Address: 2001:db8:0:3:9:42:103:132
Source IP Address:      2001:db8::20d:60ff:fe24:32ae

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
    0          0          0          1          0          0          0          0          0          0
               0          1          0          0          0          0          0

                            Packets Discarded

Destination IP Address: 2001:db8:0:3:9:42:103:132
Source IP Address:      2001:db8:0:3:20a:5eff:fe04:8f16

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
    0          2          0          0          0          0          0          0          0          0
               0          0          0          0          2          0          0

                            Packets Would Have Been Discarded

Destination IP Address: 192.168.0.5
Source IP Address:      192.168.101.3

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
    0          0          1          0          0          0          0          0          0          0
               0          0          0          0          0          0          0

                            Packets Would Have Been Discarded

Destination IP Address: 2001:db8:0:3:9:42:103:132
Source IP Address:      2001:db8::20d:60ff:fe24:32ae

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
    0          0          0          1          0          0          0          0          0          0
               0          0          0          0          0          0          0
    7          0          0          0          0          0          1          0          0          0
               0          0          0          0          0          0          0

                            Packets Would Have Been Discarded

Destination IP Address: 2001:db8:0:3:9:42:103:132
Source IP Address:      2001:db8:0:3:20a:5eff:fe04:8f16

Dest  Malform/   OutRaw4/   Redirect/  DestOpts/  IPProto/   PerpEcho/  EELDLC/
Port  Fragment   OutRaw6    IPOption   HopOpts    NextHdrs   DataHide   EEPort     EEMalfmd   NoId
----- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------
    0          0          0          0          2          0          0          0          0          0
               0          0          0          1          1          0          0

The following information describes the areas of the ATTACK summary report.

Destination IP Address: Specifies the destination IP address.
Source IP Address: Specifies the source IP address.
DestPort: Specifies the destination port number.
Malform: Specifies the number of malformed packet attacks detected.
Fragment: Specifies the number of IP fragment packet attacks detected.
OutRaw4: Specifies the number of outbound IPv4 raw packet attacks detected.
OutRaw6: Specifies the number of outbound IPv6 raw packet attacks detected.
Redirect: Specifies the number of ICMP Redirect packet attacks detected.
IPOption: Specifies the number of restricted IPv4 option packet attacks detected.
DestOpts: Specifies the number of restricted IPv6 destination option packet attacks detected.
HopOpts: Specifies the number of restricted IPv6 hop-by-hop option packet attacks detected.
IPProto: Specifies the number of restricted IPv4 protocol packet attacks detected.
NextHdrs: Specifies the number of restricted IPv6 next header packet attacks detected.
PerpEcho: Specifies the number of perpetual echo packet attacks detected.
DataHide: Specifies the number of packets detected with possible hidden data.
EELDLC: Specifies the number of EE LDLC packets detected that were received on the wrong port.
EEPort: Specifies the number of EE packets detected with the incorrect source port value.
EEMalfmd: Specifies the number of EE malformed packets detected.
Nold: Specifies the number of EZZ8648I or EZZ8649I messages received with an unknown attack type. It might be that the version of the z/OS® Communications Server on which the trmdstat command is being run is older than the version of z/OS Communication Server that detected the attacks.
Packets Discarded: A report section header indicating packets that were discarded.
Packets Would Have Been Discarded: A report section header indicating packets that would have been discarded.
messages suppressed: The number of attack messages suppressed with attack type, date and time. This data comes from an EZZ9327I message. See in The trmdstat report general concept for a detailed description.