H3C Technologies H3C Intelligent Management Center User Manual

34

UBA provides the following predefined anomaly detection templates. You cannot add or delete

anomaly detection templates, but you can modify them.

•

TCP Null Scan—Used to determine whether a port is closed on the target host. The attacker sends to

the target host port a TCP packet with no flags in the packet header. If the port is closed, the host

returns a TCP RST packet. Otherwise, the packet is discarded.

•

TCP Fin Scan—Used to determine port status and the operating system version (Unix or Windows)

on the target host. The attacker sends to the target host port a TCP packet with the FIN bit set in the

packet header. If the port is closed, the host returns a TCP RST packet. Otherwise, the packet is
discarded.

•

TCP Syn Fin Scan—Indicates that a network attack has occurred. TCP SYN is used to initiate a TCP

connection, and cannot be set together with the FIN and RST bits. Other similar combinations

include SYN/FIN, SYN/FIN/PSH, SYN/FIN/RST, and SYN/FIN/RST/PSH.

•

TCP Xmas Scan—Used to determine whether ports are closed on the target host. The attacker sends

to the target host port a TCP packet with the FIN, URG, and PSH bits set in the packet header. If the

port is closed, the host returns a TCP RST packet. Otherwise, the packet is discarded.

•

UDP Bomb Attack—Used to attack old version operating systems. The attacker fills the UDP header

with some invalid values, such as Length values. Some old version operating systems will crash
when flooded with such packets.

•

Snork Attack—Denial of service (DoS) attack against Windows NT RPC service. This attack is

accomplished by sending UDP packets with source port 7, 19, or 135, and destination port 135.

•

UDP Flood Attack—UDP-based DoS attack. This attack significantly consumes the network

bandwidth and degrades the network performance.

•

DNS Rogue Hack—An attack that exploits the DNS protocol to transmit illegal data. The attacker

disguises the data as DNS traffic to send through the UDP port 53. Administrators must specify a

list of valid DNS servers to distinguish between legitimate and disguised DNS traffic.

•

Invalid ToS—Packets that contain invalid ToS values, such as 0, 2, 4, 8, and 16.

•

Land Attack—Used to attack a host operating system. This attack is accomplished by sending

spoofed packets with source address the same as the destination address, causing the operating
system flooded with these packets to crash or "hang."

•

Invalid IP Protocol—Spoofed IP packets with protocol numbers equal to or greater than 134. These

protocol numbers are unassigned or reserved, and cannot be used in normal networks.

•

Corrupt IP Option—Used to attack Windows operating system hosts. The attacker crashes the

target Window system or bypasses security checks by sending packets to the system with carefully

crafted IP options.

•

Time Stamp IP Option—Used to attack NetBSD hosts. The attacker launches a remote DOS attack

against the target NetBSD system by flooding the system with TCP packets. The TCP packets
contain unmatched IP timestamp options, which causes the NetBSD system to crash.

•

Source Route IP Option—The attacker uses IP source options to hide their true address and access

restricted areas of a network by specifying a different path.

•

Record Route IP Option—The attacker uses IP route record options to gain information about the

architecture and topology information of the network through which the IP packets passed.

•

Security IP Option—Forged IP packets with security options in the packet header. The IP security

option is obsolete and therefore its presence in the IP header is suspect.

•

Stream ID IP Option—Forged IP packets with stream ID options in the packet header. The stream ID

option is obsolete and therefore its presence in the IP header is suspect.