Using the Anomaly Drops graphs

Aggregation of all anomaly drops for:

• Layer 3
• Layer 4
• Layer 7

Drops due to (IP Profile Strict Anomalies option):

• IP Header Checksum Error
• (Other) Layer 3 anomalies, including:
• Drops due to the Layer 3 anomalies, including:
  • IP version other than 4 or 6
  • Header length less than 5 words
  • End of packet (EOP) before 20 bytes of IPV4 Data
  • Total length less than 20 bytes
  • EOP comes before the length specified by Total length
  • End of Header before the data offset (while parsing options)
  • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
  • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
  • For IP Options length less than 3
  • Reserved flag set
  • More fragments and Don't Fragment Flags both set
• Source and Destination Address Match - Source and Destination addresses are the same (LAND attack).
• Source/Destination as LocalHost - Source or Destination address is the same as the localhost (loopback address spoofing).

Layer 4

Aggregate graphs showing all anomaly drops due to Layer 4:

• Header
• State

Anomaly drops due to (IP and TCP Profile Strict Anomalies options):

• TCP checksum errors
• UDP checksum errors
• ICMP Checksum errors
• TCP Invalid Flag Combination –Invalid TCP flag combinations such as SYN-PSH-RST
• (other) Anomaly Detected, including:
  • Other header anomalies, such as incomplete packet
  • Urgent flag is set then the urgent pointer must be non-zero
  • SYN or FIN or RST is set for fragmented packets
  • Data offset is less than 5 for a TCP packet
  • End of packet is detected before the 20 bytes of TCP header
  • EOP before the data offset indicated data offset
  • Length field in Window scale option other than 3 in a TCP packet
  • Missing UDP payload
  • Missing ICMP payload
  • SYN with payload (TCP Profile option)
• Invalid ICMPv4 Type/Code via Protocol 1 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.
• Invalid ICMPv6 Type/Code via Protocol 58 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.

Anomaly drops due to (TCP Profile options):

• Foreign Packets – Out-of-State TCP packets
• Forward Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
• Reverse Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
• TCP State Transition - Packets that violate the TCP Protocol state transition rules or sequence numbers (TCP Profile State Transition Validation option)
• Foreign Packets (Aggressive aging and Slow Connections) – Packets no longer in active sessions due to aggressive aging or slow connection blocking (TCP Profile option)

Layer 7

Aggregate of drops due to anomalies for:

• HTTP
• SSL/TLS
• DNS
• NTP

HTTP Anomaly Drops (HTTP Profile options) for:

• Known Method - Drops packets if the METHOD matches with any of the eight known OpCodes selected as not allowed in the HTTP Profile (GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
• Unknown Method – Drops packets whose METHOD is outside the 8 known Methods (any Method that is not: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
• Invalid HTTP Version - packets with an invalid HTTP version
• Range Present - packets with a header range request
• Incomplete HTTP Request - HTTP requests that do not end in the correct end-of-packet information.

SSL/TLS Anomaly Drops (SSL/TLS Profile options) for:

• SSL Renegotiation – packets dropped due to excessive numbers of renegotiation requests over time as configured in the SSL/TLS Profile
• SSL Protocol errors
• SSL Version errors
• SSL Cipher suite errors
• SSL Incomplete Request errors

DNS Anomaly Drops (DNS Profile Options) for:

• Header
• Query
• Response
• Buffer Overflow
• Exploit
• Info
• Data