The FLOOD Micro-Engine
Simply stated, FLOOD engines analyze flood type traffic, that is traffic from many sources to a single host (n to 1), specified in FLOOD.HOST or floods to the network, traffic from many sources to many destinations (n to n), specified in FLOOD.NET. Host floods use a counter that counts the packets-per-second (PPS) to the destination. Net floods, however, do not use the address for counting, but instead utilize the count rate on a virtual sensor basis. Analysis is done on a per-second basis for both host and net floods.
FLOOD engines have one configuration restriction. You have to specify the Rate parameter in both the host and net flood engine groups. FLOOD engines also ignore the WantFrag, MaxInspectLength, and ResetAfterIdle parameters from the Master engine parameters.
| Note |
The concept of a virtual sensor is that if the physical sensor is monitoring more than one interface, all the interfaces are configured into interface groups. There can be more than one interface group. But virtual sensors are attached to only one interface group. |
There are three FLOOD micro-engines. We will look at each in detail in the following sections.
FLOOD.HOST.ICMP
FLOOD.HOST.ICMP analyzes ICMP floods directed at a single host. Figure 7.12 shows the two signatures 2152 – ICMP Flood, and 2153 – ICMP Smurf attack that are host flood signatures based on ICMP traffic.
 |
Selection> 6
2152 (SubSig 0) ICMP Flood :
2153 (SubSig 0) ICMP Smurf attack :
(Sig Number to EDIT) or (ENTER to CONTINUE) >
|
Figure 7.12: SigWizMenu Option 6 FLOOD.HOST.ICMP
Table 7.6 shows the configurable parameters for FLOOD.HOST.ICMP signatures.
|
Name |
Data Type |
Protected |
Required |
Description |
|---|---|---|---|---|
|
IcmpType |
Number 0–256 |
No |
No |
ICMP header TYPE |
|
Rate |
Some number |
No |
Yes |
The maximum allowed packets-per-second (PPS) |
FLOOD.HOST.UDP
FLOOD.HOST.UDP analyzes UDP floods directed at a single host. Figure 7.13 shows the single signature, 4002 – UDP Flood, that is a host flood signature based on UDP traffic.
|
Selection> 7
4002 (SubSig 0) UDP Flood :
(Sig Number to EDIT) or (ENTER to CONTINUE) >
|
Figure 7.13: SigWizMenu Option 7 FLOOD.HOST.UDP
Table 7.7 shows the configurable parameters for FLOOD.HOST.UDP signatures.
|
Name |
Data Type |
Protected |
Required |
Description |
|---|---|---|---|---|
|
ExcludeDst1 |
Number 0–65536 |
No |
No |
Destination port to exclude from flood counting. |
|
ExcludeDst2 |
Number 0–65536 |
No |
No |
Destination port to exclude from flood counting. |
|
ExcludeDst3 |
Number 0–65536 |
No |
No |
Destination port to exclude from flood counting. |
|
Exclude1 |
Number 0–65536 |
No |
No |
Source port to exclude from flood counting. |
|
Exclude2 |
Number 0–65536 |
No |
No |
Source port to exclude from flood counting. |
|
Exclude3 |
Number 0–65536 |
No |
No |
Source port to exclude from flood counting. |
|
Rate |
Some number |
No |
Yes |
Threshold number of PPS. When the PPS is greater than the specified Rate, an alarm fires. |
FLOOD.NET
FLOOD.NET analyzes network floods directed at a single network segment. Figure 7.13 displays the current signatures in the FLOOD.NET micro-engine. Of special interest in the FLOOD.NET micro-engine is FLOOD.Net Learning Mode. This configuration option is feedback mode. Feedback mode replaces the normal inspection of packets with a diagnostic alarm. Simply stated, the alarm with have the maximum count of PPS in the alertDetails values seen during the interval. This is good for baselining network traffic in order to tune the signatures. The configuration is set to feedback mode when the Rate parameter is set to 0. Figure 7.14 shows the five signatures that are part of the FLOOD.NET micro-engine.
|
Selection> 8
6901 (SubSig 0) NET FLOOD Icmp Reply :
6902 (SubSig 0) NET FLOOD Icmp Request :
6903 (SubSig 0) NET FLOOD Icmp Any :
6910 (SubSig 0) NET FLOOD UDP :
6920 (SubSig 0) NET FLOOD TCP :
(Sig Number to EDIT) or (ENTER to CONTINUE) >
|
Figure 7.14: SigWizMenu Option 8 FLOOD.NET
Table 7.8 shows the configurable parameters for FLOOD.NET signatures.
|
Name |
Data Type |
Protected |
Required |
Description |
|---|---|---|---|---|
|
Gap |
Number |
No |
No |
The number of seconds allowed within the ThrottleInterval where PPS < Rate. Alarms will not be triggered if you get greater than Gap seconds that are not suspects and counting is reset. |
|
IcmpType |
Number 0–256 |
No |
No |
This is the ICMP type value found in the header. Only valid when Protocol is set to ICMP. |
|
Peaks |
Number |
No |
No |
The threshold of suspect seconds. |
|
Alarm is triggered when the Peaks suspect seconds is reached in a ThrottleInterval. | ||||
|
Rate |
Number |
No |
No |
The threshold for PPS. |
|
Suspect second occurs when PPS > Rate. Remember for diagnostics/feedback mode to set the Rate value to 0. |