Intrusion detection services (IDS)
Intrusion detection services (IDS) provides the following support:
- Scan detection and reporting
- Traffic regulation for TCP connections and UDP receive queues
- Attack detection, reporting, and prevention
The first two services involve checks that occur during TCP connection setup that do not interact directly with SMC communications.
The last service covers a range of checks. Most of the checks occur for inbound TCP packets, which means they are not applicable for SMC communications. The following two checks that are included in this service apply to TCP connections that traverse SMC links:
- TCP queue size events
You can use IDS policy to detect when the send or receive queue for a TCP connection that traverses an SMC link becomes constrained because of the amount or age of the data on the queue. When a queue becomes constrained, you can reset the TCP connection or continue to monitor the condition until the queue is no longer constrained.
Send or receive queues can be constrained for TCP connections that traverse SMC links:
- The send queue is considered to be constrained when data is available to be sent but cannot be sent, or when data is stored into the peer remote memory buffer (RMB) or direct memory buffer (DMB) that is not acknowledged for more than 30 seconds.
- The receive queue is considered to be constrained when data is available to be delivered but the application does not receive the data for more than 30 seconds.
- When either queue becomes constrained, the TCP connections are monitored or stopped based on the IDS policy in effect.
- Global TCP stall events
You can use IDS to detect attacks that are designed to consume system resources by creating many TCP connections and causing them to stall, making them unable to send data. A global stall condition is in effect when at least 50% of the active TCP connections are stalled and at least 1000 TCP connections are active. You can reset stalled connections, or continue to monitor the condition.
TCP connections that traverse SMC links are considered for global TCP stall events. A TCP connection that traverses an SMC link is treated as a stalled connection when the TCB is write-blocked.