Intrusion Detection (IDS)

Summary

This document describes the intrusion detection (IDS: Intrusion Detection System) for the FWX120. For other models, refer to this section.

The following figure shows the positioning of the intrusion detection.

Positioning of Intrusion Detection

The intrusion detection operates directly after packets are received, before processing on the receiving NAT side.

Compatible Models & Firmware Revisions

Model Revision
FWX120 Rev.11.03.16 or later

Types of Attacks for Detection

The following table shows the attacks that can be detected with this functionality. * The marked attacks will be discarded without fail, regardless of settings.

Models Names Judgment Criteria
IP header Unknown IP protocol When protocol field is equal or greater than 143
Land attack When source IP address and destination IP address are the same *
Short IP header When IP header length is shorter than the length of the "length" field *
Malformed IP packet When the length field and actual packet length are different *
IP options header Malformed IP opt When options header is malformed *
Security IP opt When security and handling restriction header is received
Loose routing IP opt When loose source routing header is received
Record route IP opt When record route header is received
Stream ID IP opt When stream identifier header is received
Strict routing IP opt When strict source routing header is received
Timestamp IP opt When Internet timestamp header is received
Fragments Fragment storm When a large volume of fragments is received *
Large fragment offset When fragment offset field is large
Too many fragment When there are too many fragment parts
Teardrop When undergoing an attack by a device such as a teardrop *
Same fragment offset When fragment offset field value is duplicated *
Invalid fragment When other fragments that cannot be reassembled are received *
ICMP ICMP source quench When source quench is received
ICMP timestamp req When timestamp request is received
ICMP timestamp reply When timestamp reply is received
ICMP info request When information request is received
ICMP info reply When information reply is received
ICMP mask request When address mask request is received
ICMP mask reply When address mask reply is received
ICMP too large When ICMP larger than 1025 bytes is received
UDP UDP short header When UDP length field value is less than 8 *
UDP bomb When value of UDP header length field is too large *
TCP TCP no bits set When nothing is set in flag
TCP SYN and FIN When SYN and FIN are set to simultaneous
TCP FIN and no ACK When FIN is received without ACK
FTP FTP improper port When port number designated with PORT and PASV commands are not within the range of 1024 - 65535
Winny Winny version 2 When a Winny version 2 connection is discovered

GUI

You can change the settings for each interface but the typical means is just to change the settings of the WAN interface.

Intrusion Detection Settings Screen (ids/ids.html)

You can change whether to detect for each type in the above table. For example, you can set for attack detection in the IP header but not in the IP options header. Similarly, you can set whether to discard or pass an attack by type.

The actual settings screen is shown as follows.

Intrusion Detection Settings Screen

Intrusion Detection Status Screen (ids/status.html)

View the intrusion detection status to check the operation of the intrusion detection. On this page, you can view statistics on past intrusions detected. The following figure shows an actual example.

Intrusion Detection results are output to SYSLOG at the info level. The SYSLOG format is as follows.

[Prefix] attack name source address > destination address 
2011/07/15 16:45:56:  [POLICY] Unknown IP protocol 172.17.17.200 > 224.0.0.18
2011/07/15 16:46:57:  [POLICY] Unknown IP protocol 172.17.17.200 > 224.0.0.18
2011/07/15 16:48:20:  [POLICY] Unknown IP protocol 172.17.17.200 > 224.0.0.18 

Command

Set the Operation of the Intrusion Detection Function

[Syntax]
ip INTERFACE intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
ip pp intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
ip tunnel intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip INTERFACE intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip pp intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
no ip tunnel intrusion detection DIRECTION [TYPE] SWITCH [OPTION]
[Setting Value]
  • INTERFACE .... LAN or WAN interface name
  • DIRECTION ... Packet connection direction to be monitored
    • in ... Into the interface
    • out ... Out of the interface
  • TYPE ... Packet connection type to be monitored
    • ip ... IP header
    • ip-option ... IP option header
    • fragment ... Fragment
    • icmp ... ICMP
    • udp ... UDP
    • tcp ... TCP
    • ftp ... FTP
    • winny ... Winny
    • share ... Share
    • default ... All unspecified types
  • SWITCH
    • on ... Enable
    • off ... Disable
  • OPTION
    • reject=on ... Discards invalid packets
    • reject=off ... Not discard invalid packets
[Initial Value]
  • SWITCH
    • When TYPE is not specified=off
    • When TYPE is specified=on
    • OPTION
      • off
[Description]

Detects intrusion in packets of the specified direction on the specified interface.
When the TYPE option is omitted, the settings apply to all types of intrusion detection.

[Note]

For high-risk attacks, the router always discards the packet regardless of the reject option setting.

Concerning Winny, the version 2 can be detected, but no other previous versions are covered.

Concerning Share, the version 1.0 EX2 (Share TCP version) can be detected, but no other previous versions are covered.

Show the History of Intrusion Information

[Syntax]
show ip intrusion detection
show ip intrusion detection INTERFACE [DIRECTION]
show ip intrusion detection pp [PEER_NUM [DIRECTION]]
show ip intrusion detection tunnel [TUNNEL_NUM [DIRECTION]]
[Setting Value]
  • INTERFACE .... LAN or WAN interface name
  • PEER_NUM ......... Peer number
  • TUNNEL_NUM ....... Tunnel interface number
  • DIRECTION
    • in ... Input direction
    • out ... Output direction
[Description]

Shows the recent intrusion information. Intrusion information is shown for each direction of each interface. The maximum number of incidents that are shown is the value specified by following commands.

  • ip interface intrusion detection report
  • ip pp intrusion detection report
  • ip tunnel intrusion detection report

Return to Top