Viewing the anomaly detection template list – H3C Technologies H3C Intelligent Management Center User Manual
Page 44
35
•
Ping of Death Attack—Used to attack hosts or network devices. The attacker sends large ICMP
packets of more than 65507 bytes in size, which causes the hosts or network devices that receive
these packets to crash, freeze, or reboot.
•
Large ICMP Packet—Large ICMP packet attack detection. Typically, ICMP packets contain very
short messages. The presence of large ICMP packets might indicate that something is wrong in the
network.
•
Fragmented ICMP Packet—ICMP fragment detection. Because ICMP packets contain very short
messages, there is no legitimate reason for ICMP packets to be fragmented.
•
ICMP Redirects—The attacker sends spoofed ICMP redirect packets to the target host to alter its
routing table.
•
ICMP Destination Unreachable—Some operating systems will drop the connection to a specific
network upon receiving an ICMP unreachable packet indicating that the network is unreachable.
The attacker uses spoofed ICMP unreachable packets to mislead the target host to cut the
connection to a specific network.
•
ICMP Request Excess—Used to attack a host operating system. The attacker floods the target host
with ICMP echo requests, or ping messages, which significantly consumes the resources and
bandwidth of the host.
•
ICMP Reply Excess—The attacker uses the ICMP reply messages to probe a host for its operating
system information.
•
ICMP Source Quench—The attacker uses spoofed ICMP source quench packets to limit the
bandwidth available to other users. ICMP source quench packets can reduce the data transmission
rate, which will be recovered once the sending of such packets is stopped.
•
ICMP Parameter Problem—ICMP packets that contain invalid parameters.
•
ICMP Time Exceeded—The attacker sends spoofed ICMP time exceeded messages to either or both
of the communication parties to cut their connection.
•
DHCP Offer Packet—The attacker sends a spoofed DHCP Offer packet with a random IP address to
the host requesting the DHCP service, causing network anomalies.
The anomaly detection templates include the following types:
•
Anomaly detection templates that use common parameters (see
).
•
Anomaly detection templates that use type-specific parameters in addition to common parameters
(see
).
Viewing the anomaly detection template list
1.
Access the Settings page.
2.
Click the Anomaly Detection link or icon
.
The Anomaly Detection page appears.
Basic Configuration area
{
Time Window—Select the time window mode for generating anomaly alarms. Options are
Fixed and Sliding. If Fixed is selected, the anomaly detection generates only one alarm within
every time window duration. If Sliding is selected, the anomaly detection does not generate
another alarm for attacks of the same type within the specified time window duration once an
alarm is generated. After completing the configuration, click OK next to the Time Window
field.