Network behavior anomaly detection – H3C Technologies H3C Intelligent Management Center User Manual
Page 18
8
•
Peak traffic analysis
•
Realtime traffic
•
Conversation aggregation TopN
For detailed information on managing parameter settings in NTA, see "
Configuring NTA traffic analysis
."
Network behavior anomaly detection
NTA collects statistics on traffic flow records and compares the statistics with a set of thresholds to
discover anomalies. The thresholds that NTA uses are saved in predefined anomaly detection templates.
When NTA discovers an anomaly, it sends the anomaly information (including the source and
destination IP addresses of the packet, the IP address of the device, and the type and number of the
interface) to IMC so IMC notifies administrators of the anomaly through its alarm module.
NTA provides the following predefined anomaly detection templates:
•
TCP Null Scan—Determines whether a port is closed on the target host. The attacker sends to the
target host port a TCP packet with no flags in the packet header. If the port is closed, the host returns
a TCP RST packet. Otherwise, the packet is discarded.
•
TCP Fin Scan—Determines port status and the operating system version (Unix or Windows) on the
target host. The attacker sends to the target host port a TCP packet with the FIN bit set in the packet
header. If the port is closed, the host returns a TCP RST packet. Otherwise, the packet is discarded.
•
TCP Syn Fin Scan—Indicates that a network attack has occurred. TCP SYN is used to initiate a TCP
connection, and cannot be set together with the FIN and RST bits. Other similar combinations
include SYN/FIN, SYN/FIN/PSH, SYN/FIN/RST, and SYN/FIN/RST/PSH.
•
TCP Xmas Scan—Determines if ports are closed on the target host. The attacker sends to the target
host port a TCP packet with the FIN, URG, and PSH bits set in the packet header. If the port is closed,
the host returns a TCP RST packet. Otherwise the packet is discarded.
•
UDP Bomb Attack—Detects an attack on an old version operating system. The attacker fills the UDP
header with some invalid values, such as length values. Some old version operating systems crash
when flooded with such packets.
•
Snork Attack—Detects a DoS attack against Windows NT RPC service. This attack is accomplished
by sending UDP packets with source port 7, 19, or 135, and destination port 135.
•
UDP Flood Attack—Detects a UDP-based DoS attack. This attack significantly consumes the network
bandwidth and degrades the network performance.
•
DNS Rogue Hack—Detects an attack that exploits the DNS protocol to transmit illegal data. The
attacker disguises the data as DNS traffic to send through the UDP port 53. Administrators must
specify a list of valid DNS servers to distinguish between legitimate and disguised DNS traffic.
•
Invalid ToS—Detects packets that contain invalid ToS values, such as 0, 2, 4, 8, and 16.
•
Land Attack—Detects an attack on a host operating system. This attack is accomplished by sending
spoofed packets with source address the same as the destination address, causing the operating
system flooded with these packets to crash or hang.
•
Invalid IP Protocol—Detects spoofed IP packets with protocol numbers equal to or greater than 134.
These protocol numbers are unassigned or reserved, and shouldn't be used in normal networks.
•
Corrupt IP Option—Detects an attack on Windows operating system hosts. The attacker crashes the
target Window system or bypasses security checks by sending packets to the system with carefully
crafted IP options.