Use
the IDSAttackCondition statement for attack detection, reporting,
and prevention. There are several attack types. For each attack type,
the single highest priority rule is used.
The IDSAttackCondition
statement can specify values for LocalPortRange, RemotePortRange,
or both, or these values can be specified with references to global
definitions on the PortRange or PortGroup statements.
The IDSAttackCondition
statement can specify values for ProtocolRange, or this value can
be specified with a reference to global definitions on the IPProtocolRange
or IPProtocolGroup statements.
The IDSAttackCondition statement
can specify values for the RestrictedIpOptionRange parameter, or this
value can be specified with a reference to global definitions on the
IpOptionRange or IpOptionGroup statements.
The IDSAttackCondition
statement can specify values for the IPv6NextHdrRange parameter, or
this value can be specified with a reference to global definitions
on the IPv6NextHdrRange or IPv6NextHdrGroup statements.
The
IDSAttackCondition statement can specify values for the RestrictedIpv6OptionRange
parameter, or this value can be specified with a reference to global
definitions on the IpOptionRange or IpOptionGroup statements.
The
IDSAttackCondition statement can contain an inline definition of an
IDSExclusion, or this value can be specified with a reference to a
global definition of an IDSExclusion statement.
Syntax
>>-IDSAttackCondition--+------+--| Put Braces and Parameters on Separate Lines |-><
'-name-'
Put Braces and Parameters on Separate Lines
|--+-{---------------------------------+------------------------|
+-| IDSAttackCondition Parameters |-+
'-}---------------------------------'
IDSAttackCondition Parameters
|--AttackType--------------------------------------------------->
>--+-DATA_HIDING--| DataHidingCond |----------------------------+--|
+-EE_LDLC_CHECK--| IDSExclusionCond |------------------------+
+-EE_MALFORMED_PACKET--| IDSExclusionCond |------------------+
+-EE_PORT_CHECK--| IDSExclusionCond |------------------------+
+-EE_XID_FLOOD--| EEXIDFloodCond |---------------------------+
+-FLOOD--| FloodCond |---------------------------------------+
+-GLOBAL_TCP_STALL-------------------------------------------+
+-ICMP_REDIRECT----------------------------------------------+
+-IP_FRAGMENT------------------------------------------------+
+-MALFORMED_PACKET-------------------------------------------+
+-OUTBOUND_RAW--| IpProtocolCond |---------------------------+
+-OUTBOUND_RAW_IPv6--| IpProtocolCond |----------------------+
+-PERPETUAL_ECHO--| PerpetualEchoCond |----------------------+
+-RESTRICTED_IP_OPTIONS--| RestrictedIpOptionsCond |---------+
+-RESTRICTED_IP_PROTOCOL--| IpProtocolCond |-----------------+
+-RESTRICTED_IPV6_DST_OPTIONS--| RestrictedIPv6OptionsCond |-+
+-RESTRICTED_IPV6_HOP_OPTIONS--| RestrictedIPv6OptionsCond |-+
+-RESTRICTED_IPV6_NEXT_HDR--| RestrictedIPv6NextHdrCond |----+
'-TCP_QUEUE_SIZE--| TcpQueueSizeCond |-----------------------'
DataHidingCond
.-OptionPadChk Enable-------.
|--+---------------------------+-------------------------------->
'-OptionPadChk -+-Disable-+-'
'-Enable--'
.-IcmpEmbedPktChk Enable-------.
>--+------------------------------+-----------------------------|
'-IcmpEmbedPktChk -+-Disable-+-'
'-Enable--'
EEXIDFloodCond
.-EEXIDTimeout 100-.
|--+------------------+--+----------------------+---------------|
'-EEXIDTimeout n---' +-IDSExclusion --------+
'-IDSExclusionRef name-'
FloodCond
.-IfcFloodMinDiscard 1000-. .-IfcFloodPercentage 10-.
|--+-------------------------+--+-----------------------+-------|
'-IfcFloodMinDiscard n----' '-IfcFloodPercentage n--'
IDSExclusionCond
|--+----------------------+-------------------------------------|
+-IDSExclusion --------+
'-IDSExclusionRef name-'
IpProtocolCond
|--+-ProtocolRange--+-n---+-+-----------------------------------|
| '-n m-' |
+-ProtocolRangeRef name--+
'-ProtocolGroupRef name--'
PerpetualEchoCond
|--+-LocalPortRange--+-n---+-+--+-RemotePortRange--+-n---+-+----|
| '-n m-' | | '-n m-' |
+-LocalPortRangeRef name--+ +-RemotePortRangeRef name--+
'-LocalPortGroupRef name--' '-RemotePortGroupRef name--'
RestrictedIPOptionsCond
.-RestrictedIpOptionRange All------.
|--+----------------------------------+-------------------------|
+-RestrictedIpOptionRange--+-n---+-+
| +-n m-+ |
| '-All-' |
+-RestrictedIpOptionRangeRef name--+
'-RestrictedIpOptionGroupRef name--'
RestrictedIPv6OptionsCond
|--+-RestrictedIpv6OptionRange--+-n---+-+-----------------------|
| '-n m-' |
+-RestrictedIpv6OptionRangeRef name--+
'-RestrictedIpv6OptionGroupRef name--'
RestrictedIPv6NextHdrCond
|--+-IPv6NextHdrRange--+-n---+-+--------------------------------|
| '-n m-' |
+-IPv6NextHdrRangeRef name--+
'-IPv6NextHdrGroupRef name--'
TcpQueueSizeCond
.-TcpQueueSize SHORT-----------.
|--+------------------------------+--+----------------------+---|
'-TcpQueueSize -+-LONG-------+-' +-IDSExclusion --------+
+-VERY_LONG--+ '-IDSExclusionRef name-'
+-VERY_SHORT-+
'-SHORT------'
Parameters
- name
- A string 1 - 32 characters in length that specifies the name of
this IDSAttackCondition statement.
Rule: If this IDSAttackCondition
statement is not specified inline within another statement, name must
be provided.
If a name is not specified for an inline IDSAttackCondition
statement, a nonpersistent system name is created.
- AttackType
-
- DATA_HIDING
- Indicates that the rule is for detecting hidden data. The DATA_HIDING
attack type applies to both IPv4 and IPv6 inbound packets.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- EE_MALFORMED_PACKET
- Indicates that the rule is for EE malformed packets. The packets
can be discarded by TCP/IP or forwarded to VTAM®. The EE_MALFORMED_PACKET attack type applies
to both IPv4 and IPv6 malformed packets.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- EE_PORT_CHECK
- Indicates that the rule checks the source port number for inbound
Enterprise Extender (EE) packets. The source port number must be the
same as the destination port number. The EE_PORT_CHECK attack type
applies to both IPv4 and IPv6 packets.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- EE_LDLC_CHECK
- Indicates that the rule is for LDLC control commands received
on a port other than the signalling port. The EE_LDLC_CHECK attack
type applies to both IPv4 and IPv6 packets.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- EE_XID_FLOOD
- Indicates that the rule is for an EE XID flood attack. The EE_XID_FLOOD
attack type applies to both IPv4 and IPv6.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- FLOOD
- Indicates that the rule is for flooding attacks. For FLOOD attacks,
the packets are always discarded regardless of what ActionType is
configured on the IDSAction. The FLOOD attack type applies to both
IPv4 and IPv6.
- GLOBAL_TCP_STALL
- Indicates that the rule is to detect an attack that causes a large
number of TCP connections to be stalled and unable to send data. The
GLOBAL_TCP_STALL attack type applies to both IPv4 and IPv6 connections.
Results: - A global TCP stall condition is detected for a TCP/IP stack when
at least 50% of the active TCP connections are stalled and at least
1000 TCP connections are active.
- When the condition is detected, the stalled TCP connections are
reset if the policy action specifies resetconn.
- When the condition is detected, a syslogd message is generated
for each stalled connection if TypeActions Log LogDetail is specified.
Message EZZ8673I is generated if the stalled connection is reset.
Otherwise, message EZZ8674I is generated.
Restriction: This value is valid only for V1R13 and
later releases. See General syntax rules for Policy Agent for details.
- ICMP_REDIRECT
- Indicates that the rule is for ICMP redirect detection. This includes
both ICMP redirects and ICMPv6 redirects.
- IP_FRAGMENT
- Indicates that the rule is for detecting suspicious fragmented
packets (fragments that overlay and change data in the packet, including
changes to the length of the packet).
- MALFORMED_PACKET
- Indicates that the rule is for a number of specific malformed
packets that are detected on inbound traffic. For MALFORMED_PACKET
attacks, the packets are always discarded regardless of what ActionType
is configured on the IDSAction. The MALFORMED_PACKET attack type applies
to both IPv4 and IPv6 inbound packets.
- OUTBOUND_RAW
- Indicates that the rule is to enforce restrictions on the use
of IPv4 RAW sockets for outbound processing, which prevents this stack
from being used to attack other systems. A list of restricted IP
protocols is also specified in the rule's conditions.
Restriction: The
OUTBOUND_RAW attack type applies only to IPv4 packets. The OUTBOUND_RAW_IPV6
attack type provides analogous function for IPv6 packets.
- OUTBOUND_RAW_IPV6
- Indicates that the rule is to enforce restrictions on the use
of IPv6 RAW sockets for outbound processing, which prevents this stack
from being used to attack other systems. A list of restricted protocols
is also specified in the rule's conditions.
Rule: IPv6
policy is installed but is not enforceable in a stack that is not
IPv6 enabled.
Restrictions: - The OUTBOUND_RAW_IPV6 attack type applies only to IPv6 packets.
The OUTBOUND_RAW attack type provides analogous function for IPv4
packets.
- This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- PERPETUAL_ECHO
- Indicates that the rule is to prevent perpetual echos over UDP
ports. A list of local UDP ports that always respond to an input
packet is also specified in the rule's conditions, and a separate
list of remote (network) UDP ports that always respond is specified.
The PERPETUAL_ECHO attack type applies to both IPv4 and IPv6 packets.
Rule: For PERPETUAL_ECHO attacks, only the first 20 ports
specified in the local list and in the remote list are used.
- RESTRICTED_IP_OPTIONS
- Indicates that the rule is to detect inbound IPv4 packets that
have IP options that are not allowed. A list of restricted IP options
is also specified in the rule's conditions.
For RESTRICTED_IP_OPTIONS
attacks, if no option ranges are specified, all options are restricted.
Option 0 (end of option list) and 1 (no-operation) are always allowed;
they are ignored if present in the list of restricted IP options.
Restriction: The
RESTRICTED_IP_OPTIONS attack type applies only to IPv4 packets. The
RESTRICTED_IPV6_NEXT_HDR, RESTRICTED_IPV6_DST_OPTIONS, and RESTRICTED_IPV6_HOP_OPTIONS
attack types provide analogous function for IPv6 packets.
- RESTRICTED_IP_PROTOCOL
- Indicates that the rule is to detect inbound IPv4 packets that
have IP protocols that are not allowed. A list of restricted IP protocols
is also specified in the rule's conditions.
For RESTRICTED_IP_PROTOCOL
attacks, Protocol 1 (ICMP), 6 (TCP), and 17 (UDP) are ignored if present
in the list of restricted IP protocols..
Restriction: The
RESTRICTED_IP_PROTOCOLS attack type applies only to IPv4 packets.
The RESTRICTED_IPV6_NEXT_HDR attack type provides analogous function
for IPv6 packets.
- RESTRICTED_IPV6_DST_OPTIONS
- Indicates that the rule is to detect inbound IPv6 packets that
have an IPv6 destination options extension header with options that
are not allowed. A list of restricted IPv6 destination option values
is specified in the rule's conditions.
Rule: IPv6 policy
is installed but is not enforceable in a stack that is not IPv6 enabled.
Restrictions: - The RESTRICTED_IPV6_DST_OPTIONS attack type applies only to IPv6
packets. The RESTRICTED_IP_OPTIONS attack type provides analogous
function for IPv4 packets.
- You cannot restrict options 0 (Pad1) or 1 (PadN).
- This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- RESTRICTED_IPV6_HOP_OPTIONS
- Indicates that the rule is to detect inbound IPv6 packets that
have an IPv6 hop-by-hop options extension header with options that
are not allowed. A list of restricted IPv6 hop-by-hop option values
is specified in the rule's conditions.
Rule: IPv6 policy
is installed but is not enforceable in a stack that is not IPv6 enabled.
Restrictions: - The RESTRICTED_IPV6_HOP_OPTIONS attack type applies only to IPv6
packets. The RESTRICTED_IP_OPTIONS attack type provides analogous
function for IPv4 packets.
- You cannot restrict options 0 (Pad1) or 1 (PadN).
- This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- RESTRICTED_IPV6_NEXT_HDR
- Indicates that the rule is to detect inbound IPv6 packets that
have a next header value that is not allowed. A list of restricted
IPv6 next header values is specified in the rule's conditions. The
IPv6 packet header and any subsequent extension headers include a
next header field that will be checked. The value in the next header
field identifies the next header in the packet, either an upper layer
protocol header (such as a TCP or UDP header) or an extension header
(such as a fragmentation or routing header).
Rule: IPv6
policy is installed but is not enforceable in a stack that is not
IPv6 enabled.
Restrictions: - The RESTRICTED_IPV6_NEXT_HDR attack type applies only to IPv6
packets. The RESTRICTED_IP_OPTIONS and RESTRICTED_IP_PROTOCOL attack
types provide analogous function for IPv4 packets.
- You cannot restrict next header values 6 (TCP), 17 (UDP), or 58
(ICMPv6).
- This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- TCP_QUEUE_SIZE
- Indicates that the rule is to detect TCP send, receive, and out-of-order
queues that are constrained. A queue can be constrained due to the
amount of data on the queue or the age of the data on the queue. A
queue size is specified in the rule's conditions. An exclusion list
can optionally be specified in the rule's conditions. The TCP_QUEUE_SIZE
attack type applies to both IPv4 and IPv6 connections.
Restriction: This
value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- OptionPadChk
- Indicates whether checking for non-zero IP option pad fields in
inbound packets should be enabled or disabled. The default is Enable.
For IPv4 packets, the options field is in the IP header and can contain
zero filled padding for alignment purposes. For IPv6 packets, a hop-by-hop
options extension header or a destination options extension header
can include one or more zero filled padding options for alignment
purposes.
Restriction: This parameter is valid only for
V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IcmpEmbedPktChk
- Indicates whether checking of embedded packets within an inbound
ICMP or ICMPv6 error message should be enabled or disabled. The default
is Enable.
Restriction: This parameter is valid only for
V1R13 and later releases. See General syntax rules for Policy Agent for details.
- EEXIDTimeout
- Indicates the number of XID exchange timeouts that must occur
within a 1-minute period in order to be detected as an EE XID flood
attack. Valid values are in the range 1- 2 000 000 000. The default
value is 100.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IfcFloodMinDiscard
- Indicates the minimum number of discarded packets that must occur
on an interface within a 1 minute period in order to be recognized
as an interface flood attack. Valid values are in the range 100 -
4294967295. The default value is 1000.
- IfcFloodPercentage
- Indicates the percentage of discarded packets for an interface
above which an interface flood attack is recognized. Valid values
are in the range 5 - 100. The default value is 10.
- ProtocolRange
- Indicates the restricted protocols for this IDS attack rule.
- n m
- Integers that specify a protocol range. Valid values for n are
in the range 0 - 255. If an m value is
specified, then it must be greater than or equal to n and
less than 256.
Rule: You must include a blank, a colon
(:), or a dash (-) as a delimiter.
- ProtocolRangeRef
- The name of a globally defined IpProtocolRange statement.
- ProtocolGroupRef
- The name of a globally defined IpProtocolGroup statement.
- RestrictedIpOptionRange
- Indicates the restricted IPv4 options for this IDS attack rule.
- All
- IP options 2 through 255 are restricted. Option 0 (end of option
list) and 1 (no-operation) are always allowed and cannot be restricted
by policy. This is the default value.
- n m
- Integers that specify a restricted IP option range. Valid values
for n are in the range 1 - 255. If an m value
is specified, then it must be greater than or equal to n
and less than 256.
Rule: You must include a blank, a colon
(:), or a dash (-) as a delimiter.
- RestrictedIpOptionRangeRef
- The name of a globally defined IpOptionRange statement.
- RestrictedIpOptionGroupRef
- The name of a globally defined IpOptionGroup statement.
- RestrictedIpv6OptionRange
- Indicates the restricted IPv6 options for this IDS attack rule.
- n m
- Integers that specify a restricted option range. Valid values
for n are in the range 2 - 255. If an m value
is specified, then it must be greater than or equal to n
and less than 256.
Rule: You must include a blank, a colon
(:), or a dash (-) as a delimiter.
Restriction: This parameter is valid only
for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- RestrictedIpv6OptionRangeRef
- The name of a globally defined IpOptionRange statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- RestrictedIpv6OptionGroupRef
- The name of a globally defined IpOptionGroup statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IPv6NextHdrRange
- Indicates the restricted IPv6 next header values for this IDS
attack rule. The value in the next header field of an IPv6 header
or extension header identifies the next header in the packet, either
an upper layer protocol (such as TCP or UDP) or an extension header
(such as fragmentation or routing).
- n m
- Integers that specify a restricted IPv6 next header value range.
Valid values for n are in the range 0 -
255. If an m value is specified, then it
must be greater than or equal to n and
less than 256.
Rule: You must include a blank, a colon (:),
or a dash (-) as a delimiter.
Restrictions: - You cannot restrict next header values 6 (TCP), 17 (UDP), or 58
(ICMPv6). They are always allowed.
- This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IPv6NextHdrRangeRef
- The name of a globally defined IPv6NextHdrRange statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IPv6NextHdrGroupRef
- The name of a globally defined IPv6NextHdrGroup statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- LocalPortRange
- A list of local ports for this IDS attack rule. Valid values
for n are in the range 1 - 65535. If an m value
is specified, then it must be greater than or equal to n and
less than 65536.
Rule: You must include a blank, a colon
(:), or a dash (-) as a delimiter.
Restriction: A LocalPortRange
or RemotePortRange of 0 is not allowed.
- LocalPortRangeRef
- The name of a globally defined PortRange statement to be used
for the local port specification.
- LocalPortGroupRef
- The name of a globally defined PortGroup statement to be used
for the local port specification.
- RemotePortRange
- A list of remote ports for this IDS attack rule. Valid values
for n are in the range 1 - 65535. If an m value
is specified then it must be greater than or equal to n and
less than 65536.
Rule: You must include a blank, a colon
(:), or a dash (-) as a delimiter.
Restriction: A LocalPortRange
or RemotePortRange of 0 is not allowed.
- RemotePortRangeRef
- The name of a globally defined PortRange statement to be used
for the remote port specification.
- RemotePortGroupRef
- The name of a globally defined PortGroup statement to be used
for the remote port specification.
- TcpQueueSize
- Indicates the amount of data that must remain on a TCP send, receive,
or out-of-order queue for at least thirty seconds before the queue
will become constrained. Note that a queue will also become constrained
if any amount of data remains on the queue for at least sixty seconds.
This parameter is used to select one of a number of abstract queue
sizes that map to internally defined limits. For details about queue
sizes, see the Attack policies information in z/OS Communications Server: IP Configuration
Guide.
- VERY_SHORT
- SHORT (this is the default)
- LONG
- VERY_LONG
Restriction: This parameter is valid only for V1R13
and later releases. See General syntax rules for Policy Agent for details.
- IDSExclusion
- An inline specification of an IDSExclusion statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
- IDSExclusionRef
- The name of a globally defined IDSExclusion statement.
Restriction: This
parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.