Use intrusion detection services (IDS) to protect z/OS® Communications Server from attacks. You
can use IDS to detect patterns that might indicate an impending attack.
IDS supports attack rules that define the type of behavior to monitor.
Define a set of attack rules to specify what events to monitor and
the actions to take if an attack is detected. The action associated
with the rule lets you specify what type of logging is to be performed
and the action that the system should perform when an attack is detected.
Use the syslog daemon (syslogd) to log the attack. Syslogd is an
application that writes messages to an OMVS file. You can set a statistics
interval. At the end of each statistics interval, syslogd logs a message.
The attack rule can write the detected packet to the IDS trace SYSTCPIS.
The action can be defined to either discard or not discard the packet.
You can code an exclusion list for each Enterprise Extender (EE) IDS
attack type. Specific IP addresses in the exclusion list that would
have been detected as an attack continue to be accepted to preserve
existing behavior.
See z/OS Communications Server: IP Configuration
Guide for more IDS information.
IDS defines the following new attack types for EE.
- EE Malformed Packet
- Specify this attack type to allow IDS to check inbound EE packets
to determine whether the packet is malformed.
- EE Port Check
- Specify this attack type to allow IDS to verify the port value
of inbound EE packets. If the port values are not correct, IDS flags
the packet as a port check attack.
- EE LDLC Check
- Specify this attack type to allow IDS to verify EE LDLC commands.
All EE data is sent by using LDLC commands. IDS checks the LDLC type
to verify that the packet is received on the correct port.
- EE XID Flood
- Specify this attack type to allow IDS to detect suspicious XID
activities and EE XID timeouts. EE XID timeouts might lead to an EE
XID flood. When IDS detects an XID timeout, the following series of
events occurs:
The local EE endpoint resends the XID reply three
times before it fails the activation request and issues a timeout
message. An XID flood occurs when the number of inbound XID timeouts
is equal to the value of the EEXIDTimeout value in the IDS XID flood
attack rule. Each inbound activation XID that is received by VTAM® is assigned an available line
for the connection. A partner EE that sends an XID and that does not
continue activation of the connection will occupy an available line
for about 1 minute. A flood of these occurrences can quickly use all
available lines. This kind of attack is a denial of service attack.
Valid XIDs will fail because a line is not available for the connection
request.
The EEXIDTimeout value defines a threshold value that
specifies the number of XIDs that can time out in 1 minute before
IDS detects an EE XID flood. When IDS detects a flood, TCPIP writes
a message to the console and to an OMVS file using syslogd (if such
a message is required). The XID flood ends when the number of XIDs
that are received in 1 minute is below the threshold value. You can
enable statistics logging to assist in determining a threshold value.
The statistics provide the number of XID timeouts that occurred during
the interval and the maximum number of timeouts that occurred in any
minute during the interval.
Note: The EE XID flood attack type
does not support packet discard. It also does not support writing
the packet to the IDS trace, SYSTCPIS.