IP Services: Be aware of the enhancements to IP Fragment attack type of IDS
Description
Beginning in z/OS V2R1, IP fragment attack type of the Intrusion Detection Services (IDS) is enhanced to monitor both IPv4 and IPv6 traffic for suspicious fragments. It is also enhanced further to check for overlays that change the data in the packet. Be aware that in z/OS V2R1, if you have the IP fragment IDS attack enabled, IPv6 traffic will now be monitored. In earlier releases, only IPv4 traffic was monitored.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | Communications Server. |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before installing z/OS V2R2. |
| Is the migration action required? | Yes, if you are using IDS on a stack and the IP Fragment attack type is enabled. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM Health Checker for z/OS check: | None. |
Steps to take
If you are using IDS on a
stack and the IP Fragment attack type is enabled, be aware of the
following information:
- Both IPv4 and IPv6 traffic are monitored for suspicious fragments.
- The IP Fragment attack type checking is enhanced to check for overlays that change the data in the packet, including changes to the length of the packet.
Reference information
For more information about IP fragments, see "Attack of IDS policy definition considerations" in z/OS Communications Server: IP Configuration Guide.