IDSAttackCondition statement

Use the IDSAttackCondition statement for attack detection, reporting, and prevention. There are several attack types. For each attack type, the single highest priority rule is used.

The IDSAttackCondition statement can specify values for LocalPortRange, RemotePortRange, or both, or these values can be specified with references to global definitions on the PortRange or PortGroup statements.

The IDSAttackCondition statement can specify values for ProtocolRange, or this value can be specified with a reference to global definitions on the IPProtocolRange or IPProtocolGroup statements.

The IDSAttackCondition statement can specify values for the RestrictedIpOptionRange parameter, or this value can be specified with a reference to global definitions on the IpOptionRange or IpOptionGroup statements.

The IDSAttackCondition statement can specify values for the IPv6NextHdrRange parameter, or this value can be specified with a reference to global definitions on the IPv6NextHdrRange or IPv6NextHdrGroup statements.

The IDSAttackCondition statement can specify values for the RestrictedIpv6OptionRange parameter, or this value can be specified with a reference to global definitions on the IpOptionRange or IpOptionGroup statements.

The IDSAttackCondition statement can contain an inline definition of an IDSExclusion, or this value can be specified with a reference to a global definition of an IDSExclusion statement.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-IDSAttackCondition--+------+--| Put Braces and Parameters on Separate Lines |-><
                       '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{---------------------------------+------------------------|
   +-| IDSAttackCondition Parameters |-+   
   '-}---------------------------------'   

IDSAttackCondition Parameters

|--AttackType--------------------------------------------------->

>--+-DATA_HIDING--| DataHidingCond |----------------------------+--|
   +-EE_LDLC_CHECK--| IDSExclusionCond |------------------------+   
   +-EE_MALFORMED_PACKET--| IDSExclusionCond |------------------+   
   +-EE_PORT_CHECK--| IDSExclusionCond |------------------------+   
   +-EE_XID_FLOOD--| EEXIDFloodCond |---------------------------+   
   +-FLOOD--| FloodCond |---------------------------------------+   
   +-GLOBAL_TCP_STALL-------------------------------------------+   
   +-ICMP_REDIRECT----------------------------------------------+   
   +-IP_FRAGMENT------------------------------------------------+   
   +-MALFORMED_PACKET-------------------------------------------+   
   +-OUTBOUND_RAW--| IpProtocolCond |---------------------------+   
   +-OUTBOUND_RAW_IPv6--| IpProtocolCond |----------------------+   
   +-PERPETUAL_ECHO--| PerpetualEchoCond |----------------------+   
   +-RESTRICTED_IP_OPTIONS--| RestrictedIpOptionsCond |---------+   
   +-RESTRICTED_IP_PROTOCOL--| IpProtocolCond |-----------------+   
   +-RESTRICTED_IPV6_DST_OPTIONS--| RestrictedIPv6OptionsCond |-+   
   +-RESTRICTED_IPV6_HOP_OPTIONS--| RestrictedIPv6OptionsCond |-+   
   +-RESTRICTED_IPV6_NEXT_HDR--| RestrictedIPv6NextHdrCond |----+   
   '-TCP_QUEUE_SIZE--| TcpQueueSizeCond |-----------------------'   

DataHidingCond

   .-OptionPadChk Enable-------.   
|--+---------------------------+-------------------------------->
   '-OptionPadChk -+-Disable-+-'   
                   '-Enable--'     

   .-IcmpEmbedPktChk Enable-------.   
>--+------------------------------+-----------------------------|
   '-IcmpEmbedPktChk -+-Disable-+-'   
                      '-Enable--'     

EEXIDFloodCond

   .-EEXIDTimeout 100-.                             
|--+------------------+--+----------------------+---------------|
   '-EEXIDTimeout n---'  +-IDSExclusion --------+   
                         '-IDSExclusionRef name-'   

FloodCond

   .-IfcFloodMinDiscard 1000-.  .-IfcFloodPercentage 10-.   
|--+-------------------------+--+-----------------------+-------|
   '-IfcFloodMinDiscard n----'  '-IfcFloodPercentage n--'   

IDSExclusionCond

|--+----------------------+-------------------------------------|
   +-IDSExclusion --------+   
   '-IDSExclusionRef name-'   

IpProtocolCond

|--+-ProtocolRange--+-n---+-+-----------------------------------|
   |                '-n m-' |   
   +-ProtocolRangeRef name--+   
   '-ProtocolGroupRef name--'   

PerpetualEchoCond

|--+-LocalPortRange--+-n---+-+--+-RemotePortRange--+-n---+-+----|
   |                 '-n m-' |  |                  '-n m-' |   
   +-LocalPortRangeRef name--+  +-RemotePortRangeRef name--+   
   '-LocalPortGroupRef name--'  '-RemotePortGroupRef name--'   

RestrictedIPOptionsCond

   .-RestrictedIpOptionRange All------.   
|--+----------------------------------+-------------------------|
   +-RestrictedIpOptionRange--+-n---+-+   
   |                          +-n m-+ |   
   |                          '-All-' |   
   +-RestrictedIpOptionRangeRef name--+   
   '-RestrictedIpOptionGroupRef name--'   

RestrictedIPv6OptionsCond

|--+-RestrictedIpv6OptionRange--+-n---+-+-----------------------|
   |                            '-n m-' |   
   +-RestrictedIpv6OptionRangeRef name--+   
   '-RestrictedIpv6OptionGroupRef name--'   

RestrictedIPv6NextHdrCond

|--+-IPv6NextHdrRange--+-n---+-+--------------------------------|
   |                   '-n m-' |   
   +-IPv6NextHdrRangeRef name--+   
   '-IPv6NextHdrGroupRef name--'   

TcpQueueSizeCond

   .-TcpQueueSize SHORT-----------.                             
|--+------------------------------+--+----------------------+---|
   '-TcpQueueSize -+-LONG-------+-'  +-IDSExclusion --------+   
                   +-VERY_LONG--+    '-IDSExclusionRef name-'   
                   +-VERY_SHORT-+                               
                   '-SHORT------'                               

Parameters

name
A string 1 - 32 characters in length that specifies the name of this IDSAttackCondition statement.

Rule: If this IDSAttackCondition statement is not specified inline within another statement, name must be provided.

If a name is not specified for an inline IDSAttackCondition statement, a nonpersistent system name is created.
AttackType
DATA_HIDING
Indicates that the rule is for detecting hidden data. The DATA_HIDING attack type applies to both IPv4 and IPv6 inbound packets.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

EE_MALFORMED_PACKET
Indicates that the rule is for EE malformed packets. The packets can be discarded by TCP/IP or forwarded to VTAM®. The EE_MALFORMED_PACKET attack type applies to both IPv4 and IPv6 malformed packets.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

EE_PORT_CHECK
Indicates that the rule checks the source port number for inbound Enterprise Extender (EE) packets. The source port number must be the same as the destination port number. The EE_PORT_CHECK attack type applies to both IPv4 and IPv6 packets.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

EE_LDLC_CHECK
Indicates that the rule is for LDLC control commands received on a port other than the signalling port. The EE_LDLC_CHECK attack type applies to both IPv4 and IPv6 packets.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

EE_XID_FLOOD
Indicates that the rule is for an EE XID flood attack. The EE_XID_FLOOD attack type applies to both IPv4 and IPv6.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

FLOOD
Indicates that the rule is for flooding attacks. For FLOOD attacks, the packets are always discarded regardless of what ActionType is configured on the IDSAction. The FLOOD attack type applies to both IPv4 and IPv6.
GLOBAL_TCP_STALL
Indicates that the rule is to detect an attack that causes a large number of TCP connections to be stalled and unable to send data. The GLOBAL_TCP_STALL attack type applies to both IPv4 and IPv6 connections.
Results:
  • A global TCP stall condition is detected for a TCP/IP stack when at least 50% of the active TCP connections are stalled and at least 1000 TCP connections are active.
  • When the condition is detected, the stalled TCP connections are reset if the policy action specifies resetconn.
  • When the condition is detected, a syslogd message is generated for each stalled connection if TypeActions Log LogDetail is specified. Message EZZ8673I is generated if the stalled connection is reset. Otherwise, message EZZ8674I is generated.
Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
ICMP_REDIRECT
Indicates that the rule is for ICMP redirect detection. This includes both ICMP redirects and ICMPv6 redirects.
IP_FRAGMENT
Indicates that the rule is for detecting suspicious fragmented packets (fragments that overlay and change data in the packet, including changes to the length of the packet).
MALFORMED_PACKET
Indicates that the rule is for a number of specific malformed packets that are detected on inbound traffic. For MALFORMED_PACKET attacks, the packets are always discarded regardless of what ActionType is configured on the IDSAction. The MALFORMED_PACKET attack type applies to both IPv4 and IPv6 inbound packets.
OUTBOUND_RAW
Indicates that the rule is to enforce restrictions on the use of IPv4 RAW sockets for outbound processing, which prevents this stack from being used to attack other systems. A list of restricted IP protocols is also specified in the rule's conditions.

Restriction: The OUTBOUND_RAW attack type applies only to IPv4 packets. The OUTBOUND_RAW_IPV6 attack type provides analogous function for IPv6 packets.

OUTBOUND_RAW_IPV6
Indicates that the rule is to enforce restrictions on the use of IPv6 RAW sockets for outbound processing, which prevents this stack from being used to attack other systems. A list of restricted protocols is also specified in the rule's conditions.

Rule: IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

Restrictions:
  • The OUTBOUND_RAW_IPV6 attack type applies only to IPv6 packets. The OUTBOUND_RAW attack type provides analogous function for IPv4 packets.
  • This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
PERPETUAL_ECHO
Indicates that the rule is to prevent perpetual echos over UDP ports. A list of local UDP ports that always respond to an input packet is also specified in the rule's conditions, and a separate list of remote (network) UDP ports that always respond is specified. The PERPETUAL_ECHO attack type applies to both IPv4 and IPv6 packets.

Rule: For PERPETUAL_ECHO attacks, only the first 20 ports specified in the local list and in the remote list are used.

RESTRICTED_IP_OPTIONS
Indicates that the rule is to detect inbound IPv4 packets that have IP options that are not allowed. A list of restricted IP options is also specified in the rule's conditions.

For RESTRICTED_IP_OPTIONS attacks, if no option ranges are specified, all options are restricted. Option 0 (end of option list) and 1 (no-operation) are always allowed; they are ignored if present in the list of restricted IP options.

Restriction: The RESTRICTED_IP_OPTIONS attack type applies only to IPv4 packets. The RESTRICTED_IPV6_NEXT_HDR, RESTRICTED_IPV6_DST_OPTIONS, and RESTRICTED_IPV6_HOP_OPTIONS attack types provide analogous function for IPv6 packets.

RESTRICTED_IP_PROTOCOL
Indicates that the rule is to detect inbound IPv4 packets that have IP protocols that are not allowed. A list of restricted IP protocols is also specified in the rule's conditions.

For RESTRICTED_IP_PROTOCOL attacks, Protocol 1 (ICMP), 6 (TCP), and 17 (UDP) are ignored if present in the list of restricted IP protocols..

Restriction: The RESTRICTED_IP_PROTOCOLS attack type applies only to IPv4 packets. The RESTRICTED_IPV6_NEXT_HDR attack type provides analogous function for IPv6 packets.

RESTRICTED_IPV6_DST_OPTIONS
Indicates that the rule is to detect inbound IPv6 packets that have an IPv6 destination options extension header with options that are not allowed. A list of restricted IPv6 destination option values is specified in the rule's conditions.

Rule: IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

Restrictions:
  • The RESTRICTED_IPV6_DST_OPTIONS attack type applies only to IPv6 packets. The RESTRICTED_IP_OPTIONS attack type provides analogous function for IPv4 packets.
  • You cannot restrict options 0 (Pad1) or 1 (PadN).
  • This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
RESTRICTED_IPV6_HOP_OPTIONS
Indicates that the rule is to detect inbound IPv6 packets that have an IPv6 hop-by-hop options extension header with options that are not allowed. A list of restricted IPv6 hop-by-hop option values is specified in the rule's conditions.

Rule: IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

Restrictions:
  • The RESTRICTED_IPV6_HOP_OPTIONS attack type applies only to IPv6 packets. The RESTRICTED_IP_OPTIONS attack type provides analogous function for IPv4 packets.
  • You cannot restrict options 0 (Pad1) or 1 (PadN).
  • This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
RESTRICTED_IPV6_NEXT_HDR
Indicates that the rule is to detect inbound IPv6 packets that have a next header value that is not allowed. A list of restricted IPv6 next header values is specified in the rule's conditions. The IPv6 packet header and any subsequent extension headers include a next header field that will be checked. The value in the next header field identifies the next header in the packet, either an upper layer protocol header (such as a TCP or UDP header) or an extension header (such as a fragmentation or routing header).

Rule: IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

Restrictions:
  • The RESTRICTED_IPV6_NEXT_HDR attack type applies only to IPv6 packets. The RESTRICTED_IP_OPTIONS and RESTRICTED_IP_PROTOCOL attack types provide analogous function for IPv4 packets.
  • You cannot restrict next header values 6 (TCP), 17 (UDP), or 58 (ICMPv6).
  • This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
TCP_QUEUE_SIZE
Indicates that the rule is to detect TCP send, receive, and out-of-order queues that are constrained. A queue can be constrained due to the amount of data on the queue or the age of the data on the queue. A queue size is specified in the rule's conditions. An exclusion list can optionally be specified in the rule's conditions. The TCP_QUEUE_SIZE attack type applies to both IPv4 and IPv6 connections.

Restriction: This value is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

OptionPadChk
Indicates whether checking for non-zero IP option pad fields in inbound packets should be enabled or disabled. The default is Enable. For IPv4 packets, the options field is in the IP header and can contain zero filled padding for alignment purposes. For IPv6 packets, a hop-by-hop options extension header or a destination options extension header can include one or more zero filled padding options for alignment purposes.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IcmpEmbedPktChk
Indicates whether checking of embedded packets within an inbound ICMP or ICMPv6 error message should be enabled or disabled. The default is Enable.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

EEXIDTimeout
Indicates the number of XID exchange timeouts that must occur within a 1-minute period in order to be detected as an EE XID flood attack. Valid values are in the range 1- 2 000 000 000. The default value is 100.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IfcFloodMinDiscard
Indicates the minimum number of discarded packets that must occur on an interface within a 1 minute period in order to be recognized as an interface flood attack. Valid values are in the range 100 - 4294967295. The default value is 1000.
IfcFloodPercentage
Indicates the percentage of discarded packets for an interface above which an interface flood attack is recognized. Valid values are in the range 5 - 100. The default value is 10.
ProtocolRange
Indicates the restricted protocols for this IDS attack rule.
n m
Integers that specify a protocol range. Valid values for n are in the range 0 - 255. If an m value is specified, then it must be greater than or equal to n and less than 256.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

ProtocolRangeRef
The name of a globally defined IpProtocolRange statement.
ProtocolGroupRef
The name of a globally defined IpProtocolGroup statement.
RestrictedIpOptionRange
Indicates the restricted IPv4 options for this IDS attack rule.
All
IP options 2 through 255 are restricted. Option 0 (end of option list) and 1 (no-operation) are always allowed and cannot be restricted by policy. This is the default value.
n m
Integers that specify a restricted IP option range. Valid values for n are in the range 1 - 255. If an m value is specified, then it must be greater than or equal to n and less than 256.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

RestrictedIpOptionRangeRef
The name of a globally defined IpOptionRange statement.
RestrictedIpOptionGroupRef
The name of a globally defined IpOptionGroup statement.
RestrictedIpv6OptionRange
Indicates the restricted IPv6 options for this IDS attack rule.
n m
Integers that specify a restricted option range. Valid values for n are in the range 2 - 255. If an m value is specified, then it must be greater than or equal to n and less than 256.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

RestrictedIpv6OptionRangeRef
The name of a globally defined IpOptionRange statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

RestrictedIpv6OptionGroupRef
The name of a globally defined IpOptionGroup statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IPv6NextHdrRange
Indicates the restricted IPv6 next header values for this IDS attack rule. The value in the next header field of an IPv6 header or extension header identifies the next header in the packet, either an upper layer protocol (such as TCP or UDP) or an extension header (such as fragmentation or routing).
n m
Integers that specify a restricted IPv6 next header value range. Valid values for n are in the range 0 - 255. If an m value is specified, then it must be greater than or equal to n and less than 256.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

Restrictions:
  • You cannot restrict next header values 6 (TCP), 17 (UDP), or 58 (ICMPv6). They are always allowed.
  • This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.
IPv6NextHdrRangeRef
The name of a globally defined IPv6NextHdrRange statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IPv6NextHdrGroupRef
The name of a globally defined IPv6NextHdrGroup statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

LocalPortRange
A list of local ports for this IDS attack rule. Valid values for n are in the range 1 - 65535. If an m value is specified, then it must be greater than or equal to n and less than 65536.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

Restriction: A LocalPortRange or RemotePortRange of 0 is not allowed.

LocalPortRangeRef
The name of a globally defined PortRange statement to be used for the local port specification.
LocalPortGroupRef
The name of a globally defined PortGroup statement to be used for the local port specification.
RemotePortRange
A list of remote ports for this IDS attack rule. Valid values for n are in the range 1 - 65535. If an m value is specified then it must be greater than or equal to n and less than 65536.

Rule: You must include a blank, a colon (:), or a dash (-) as a delimiter.

Restriction: A LocalPortRange or RemotePortRange of 0 is not allowed.

RemotePortRangeRef
The name of a globally defined PortRange statement to be used for the remote port specification.
RemotePortGroupRef
The name of a globally defined PortGroup statement to be used for the remote port specification.
TcpQueueSize
Indicates the amount of data that must remain on a TCP send, receive, or out-of-order queue for at least thirty seconds before the queue will become constrained. Note that a queue will also become constrained if any amount of data remains on the queue for at least sixty seconds. This parameter is used to select one of a number of abstract queue sizes that map to internally defined limits. For details about queue sizes, see the Attack policies information in z/OS Communications Server: IP Configuration Guide.
  • VERY_SHORT
  • SHORT (this is the default)
  • LONG
  • VERY_LONG

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IDSExclusion
An inline specification of an IDSExclusion statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

IDSExclusionRef
The name of a globally defined IDSExclusion statement.

Restriction: This parameter is valid only for V1R13 and later releases. See General syntax rules for Policy Agent for details.

Parent topic: IDS policy statements