This document describes the intrusion detection (IDS: Intrusion Detection System) for the FWX120. For other models, refer to this section.
The following figure shows the positioning of the intrusion detection.
The intrusion detection operates directly after packets are received, before processing on the receiving NAT side.
Compatible Models & Firmware Revisions
|FWX120||Rev.11.03.16 or later|
Types of Attacks for Detection
The following table shows the attacks that can be detected with this functionality. * The marked attacks will be discarded without fail, regardless of settings.
|IP header||Unknown IP protocol||When protocol field is equal or greater than 143|
|Land attack||When source IP address and destination IP address are the same||*|
|Short IP header||When IP header length is shorter than the length of the "length" field||*|
|Malformed IP packet||When the length field and actual packet length are different||*|
|IP options header||Malformed IP opt||When options header is malformed||*|
|Security IP opt||When security and handling restriction header is received|
|Loose routing IP opt||When loose source routing header is received|
|Record route IP opt||When record route header is received|
|Stream ID IP opt||When stream identifier header is received|
|Strict routing IP opt||When strict source routing header is received|
|Timestamp IP opt||When Internet timestamp header is received|
|Fragments||Fragment storm||When a large volume of fragments is received||*|
|Large fragment offset||When fragment offset field is large|
|Too many fragment||When there are too many fragment parts|
|Teardrop||When undergoing an attack by a device such as a teardrop||*|
|Same fragment offset||When fragment offset field value is duplicated||*|
|Invalid fragment||When other fragments that cannot be reassembled are received||*|
|ICMP||ICMP source quench||When source quench is received|
|ICMP timestamp req||When timestamp request is received|
|ICMP timestamp reply||When timestamp reply is received|
|ICMP info request||When information request is received|
|ICMP info reply||When information reply is received|
|ICMP mask request||When address mask request is received|
|ICMP mask reply||When address mask reply is received|
|ICMP too large||When ICMP larger than 1025 bytes is received|
|UDP||UDP short header||When UDP length field value is less than 8||*|
|UDP bomb||When value of UDP header length field is too large||*|
|TCP||TCP no bits set||When nothing is set in flag|
|TCP SYN and FIN||When SYN and FIN are set to simultaneous|
|TCP FIN and no ACK||When FIN is received without ACK|
|FTP||FTP improper port||When port number designated with PORT and PASV commands are not within the range of 1024 - 65535|
|Winny||Winny version 2||When a Winny version 2 connection is discovered|
You can change the settings for each interface but the typical means is just to change the settings of the WAN interface.
Intrusion Detection Settings Screen (ids/ids.html)
You can change whether to detect for each type in the above table. For example, you can set for attack detection in the IP header but not in the IP options header. Similarly, you can set whether to discard or pass an attack by type.
The actual settings screen is shown as follows.
Intrusion Detection Status Screen (ids/status.html)
View the intrusion detection status to check the operation of the intrusion detection. On this page, you can view statistics on past intrusions detected. The following figure shows an actual example.
Intrusion Detection results are output to SYSLOG at the info level. The SYSLOG format is as follows.
Set the Operation of the Intrusion Detection Function
- INTERFACE .... LAN or WAN interface name
- DIRECTION ... Packet connection direction to be monitored
- in ... Into the interface
- out ... Out of the interface
- TYPE ... Packet connection type to be monitored
- ip ... IP header
- ip-option ... IP option header
- fragment ... Fragment
- icmp ... ICMP
- udp ... UDP
- tcp ... TCP
- ftp ... FTP
- winny ... Winny
- share ... Share
- default ... All unspecified types
- on ... Enable
- off ... Disable
- reject=on ... Discards invalid packets
- reject=off ... Not discard invalid packets
- When TYPE is not specified=off
- When TYPE is specified=on
Detects intrusion in packets of the specified direction on the specified interface.
When the TYPE option is omitted, the settings apply to all types of intrusion detection.
For high-risk attacks, the router always discards the packet regardless of the reject option setting.
Concerning Winny, the version 2 can be detected, but no other previous versions are covered.
Concerning Share, the version 1.0 EX2 (Share TCP version) can be detected, but no other previous versions are covered.
Show the History of Intrusion Information
- INTERFACE .... LAN or WAN interface name
- PEER_NUM ......... Peer number
- TUNNEL_NUM ....... Tunnel interface number
- in ... Input direction
- out ... Output direction
Shows the recent intrusion information. Intrusion information is shown for each direction of each interface. The maximum number of incidents that are shown is the value specified by following commands.
- ip interface intrusion detection report
- ip pp intrusion detection report
- ip tunnel intrusion detection report