Zyxel ZyWALL-USG50 Router Manual PDF (Setup & Configuration Guide)

Page 526 / 944 Scroll up to view Page 521 - 525

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

526

Decoy Port Scans

Decoy port scans are scans where the attacker has spoofed the source address.

These are some decoy scan types:

•

TCP Decoy Portscan

•

UDP Decoy Portscan

•

IP Decoy Portscan

Distributed Port Scans

Distributed port scans are many-to-one port scans. Distributed port scans occur

when multiple hosts query one host for open services. This may be used to evade

intrusion detection. These are distributed port scan types:

•

TCP Distributed Portscan

•

UDP Distributed Portscan

•

IP Distributed Portscan

Port Sweeps

Many different connection attempts to the same port (service) may indicate a port

sweep, that is, they are one-to-many port scans. One host scans a single port on

multiple hosts. This may occur when a new exploit comes out and the attacker is

looking for a specific service. These are some port sweep types:

•

TCP Portsweep

•

UDP Portsweep

•

IP Portsweep

•

ICMP Portsweep

Filtered Port Scans

A filtered port scan may indicate that there were no network errors (ICMP

unreachables or TCP RSTs) or responses on closed ports have been suppressed.

Active network devices, such as NAT routers, may trigger these alerts if they send

out many connection attempts within a very small amount of time. These are

some filtered port scan examples.

•

TCP Filtered

Portscan

•

UDP Filtered Portscan

•

IP Filtered Portscan

•

TCP Filtered Decoy

Portscan

•

UDP Filtered Decoy

Portscan

•

IP Filtered Decoy

Portscan

•

TCP Filtered

Portsweep

•

UDP Filtered Portsweep

•

IP Filtered Portsweep

Page 527 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

527

Flood Detection

Flood attacks saturate a network with useless data, use up all available

bandwidth, and therefore make communications in the network impossible.

ICMP Flood Attack

An ICMP flood is broadcasting many pings or UDP packets so that so much data is

sent to the system, that it slows it down or locks it up.

Smurf

A smurf attacker (A) floods a router (B) with Internet Control Message Protocol

(ICMP) echo request packets (pings) with the destination IP address of each

packet as the broadcast address of the network. The router will broadcast the

ICMP echo request packet to all hosts on the network. If there are numerous

hosts, this will create a large amount of ICMP echo request and response traffic.

If an attacker (A) spoofs the source IP address of the ICMP echo request packet,

the resulting ICMP traffic will not only saturate the receiving network (B), but the

network of the spoofed source IP address (C).

Figure 308

Smurf Attack

TCP SYN Flood Attack

Usually a client starts a session by sending a SYN (synchronize) packet to a server.

The receiver returns an ACK (acknowledgment) packet and its own SYN, and then

•

ICMP Filtered

Portsweep

•

TCP Filtered Distributed

Portscan

•

UDP Filtered

Distributed Portscan

•

IP Filtered

Distributed Portscan

Page 528 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

528

the initiator responds with an ACK (acknowledgment). After this handshake, a

connection is established.

Figure 309

TCP Three-Way Handshake

A SYN flood attack is when an attacker sends a series of SYN packets. Each packet

causes the receiver to reply with a SYN-ACK response. The receiver then waits for

the ACK that follows the SYN-ACK, and stores all outstanding SYN-ACK responses

on a backlog queue. SYN-ACKs are only moved off the queue when an ACK comes

back or when an internal timer ends the three-way handshake. Once the queue is

full, the system will ignore all incoming SYN requests, making the system

unavailable for other users.

Figure 310

SYN Flood

LAND Attack

In a LAND attack, hackers flood SYN packets into a network with a spoofed source

IP address of the network itself. This makes it appear as if the computers in the

network sent the packets to themselves, so the network is unavailable while they

try to respond to themselves.

Page 529 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

529

UDP Flood Attack

UDP is a connection-less protocol and it does not require any connection setup

procedure to transfer data. A UDP flood attack is possible when an attacker sends

a UDP packet to a random port on the victim system. When the victim system

receives a UDP packet, it will determine what application is waiting on the

destination port. When it realizes that there is no application that is waiting on the

port, it will generate an ICMP packet of destination unreachable to the forged

source address. If enough UDP packets are delivered to ports on victim, the

system will go down.

Protocol Anomaly Background Information

The following sections may help you configure the protocol anomaly profile screen

(see

Section 31.3.5 on page 521

)

HTTP Inspection and TCP/UDP/ICMP Decoders

The following table gives some information on the HTTP inspection, TCP decoder,

UDP decoder and ICMP decoder ZyWALL protocol anomaly rules.

Table 158

HTTP Inspection and TCP/UDP/ICMP Decoders

LABEL

DESCRIPTION

HTTP Inspection

APACHE-WHITESPACE

ATTACK

This rule deals with non-RFC standard of tab for a space

delimiter. Apache uses this, so if you have an Apache

server, you need to enable this option.

ASCII-ENCODING

ATTACK

This rule can detect attacks where malicious attackers use

ASCII-encoding to encode attack strings. Attackers may

use this method to bypass system parameter checks in

order to get information or privileges from a web server.

BARE-BYTE-

UNICODING-ENCODING

ATTACK

Bare byte encoding uses non-ASCII characters as valid

values in decoding UTF-8 values. This is NOT in the HTTP

standard, as all non-ASCII values have to be encoded with

a %. Bare byte encoding allows the user to emulate an IIS

server and interpret non-standard encodings correctly.

BASE36-ENCODING

ATTACK

This is a rule to decode base36-encoded characters. This

rule can detect attacks where malicious attackers use

base36-encoding to encode attack strings. Attackers may

use this method to bypass system parameter checks in

order to get information or privileges from a web server.

DIRECTORY-TRAVERSAL

ATTACK

This rule normalizes directory traversals and self-referential

directories. So, “/abc/this_is_not_a_real_dir/../xyz” get

normalized to “/abc/xyz”. Also, “/abc/./xyz” gets

normalized to “/abc/xyz”. If a user wants to configure an

alert, then specify “yes”, otherwise “no”. This alert may give

false positives since some web sites refer to files using

directory traversals.

Page 530 / 944

Chapter 31 ADP

ZyWALL USG 50 User’s Guide

530

DOUBLE-ENCODING

ATTACK

This rule is IIS specific. IIS does two passes through the

request URI, doing decodes in each one. In the first pass,

IIS encoding (UTF-8 unicode, ASCII, bare byte, and %u) is

done. In the second pass ASCII, bare byte, and %u

encodings are done.

IIS-BACKSLASH-

EVASION ATTACK

This is an IIS emulation rule that normalizes backslashes to

slashes. Therefore, a request-URI of “/abc\xyz” gets

normalized to “/abc/xyz”.

IIS-UNICODE-

CODEPOINT-ENCODING

ATTACK

This rule can detect attacks which send attack strings

containing non-ASCII characters encoded by IIS Unicode.

IIS Unicode encoding references the unicode.map file.

Attackers may use this method to bypass system

parameter checks in order to get information or privileges

from a web server.

MULTI-SLASH-

ENCODING ATTACK

This rule normalizes multiple slashes in a row, so something

like: “abc/////////xyz” get normalized to “abc/xyz”.

NON-RFC-DEFINED-

CHAR ATTACK

This rule lets you receive a log or alert if certain non-RFC

characters are used in a request URI. For instance, you may

want to know if there are NULL bytes in the request-URI.

NON-RFC-HTTP-

DELIMITER ATTACK

This is when a newline “\n” character is detected as a

delimiter. This is non-standard but is accepted by both

Apache and IIS web servers.

OVERSIZE-CHUNK-

ENCODING ATTACK

This rule is an anomaly detector for abnormally large chunk

sizes. This picks up the apache chunk encoding exploits and

may also be triggered on HTTP tunneling that uses chunk

encoding.

OVERSIZE-REQUEST-

URI-DIRECTORY ATTACK

This rule takes a non-zero positive integer as an argument.

The argument specifies the max character directory length

for URL directory. If a URL directory is larger than this

argument size, an alert is generated. A good argument

value is 300 characters. This should limit the alerts to IDS

evasion type attacks, like whisker.

SELF-DIRECTORY-

TRAVERSAL ATTACK

This rule normalizes self-referential directories. So, “/abc/./

xyz” gets normalized to “/abc/xyz”.

U-ENCODING ATTACK

This rule emulates the IIS %u encoding scheme. The %u

encoding scheme starts with a %u followed by 4

characters, like %uXXXX. The XXXX is a hex encoded value

that correlates to an IIS unicode codepoint. This is an ASCII

value. An ASCII character is encoded like, %u002f = /,

%u002e = ., etc.

UTF-8-ENCODING

ATTACK

The UTF-8 decode rule decodes standard UTF-8 unicode

sequences that are in the URI. This abides by the unicode

standard and only uses % encoding. Apache uses this

standard, so for any Apache servers, make sure you have

this option turned on. When this rule is enabled, ASCII

decoding is also enabled to enforce correct functioning.

Table 158

HTTP Inspection and TCP/UDP/ICMP Decoders (continued)

LABEL

DESCRIPTION

Rate

Popular Zyxel Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share