Efficient Networks SpeedStream 5100 Series User Manual

SpeedStream Router User Guide

35

• Fragmented TCP Packet:

As discussed in the Invalid IP Packet Fragment description, packets may be fragmented in transit.
While it is entirely valid to fragment a TCP packet, this is rarely done because of a process called
“MTU discovery” that occurs when two hosts begin communicating. The rarity of TCP packet
fragmentation makes its occurrence suspicious and could indicate a flawed network stack exploit
attempt.

• Fragmented TCP Header:

This indicates that the TCP header in the packet was split into multiple IP fragments. This never
normally occurs and is most likely a flawed network stack exploit attempt.

• Fragmented UDP Header:

This indicates that the IP header in the packet was split into multiple IP fragments. This never
normally occurs and is most likely a flawed network stack exploit attempt.

• Fragmented ICMP Header:

This indicates that the ICMP header in the packet was split into multiple IP fragments. This never
normally occurs and is most likely a flawed network stack exploit attempt.

When logging is selected for a particular offending packet, the ADS will write an entry to the firewall log
once a minute for as long as the attack persists. This allows one to tell that a long-term attack is taking
place without completely filling up the firewall log with entries for every single packet.

To enable ADS:

•

On the main menu, click Advanced Setup, then click Firewall, and then click ADS.

The Attack Detection System Configuration screen displays.

To globally enable ADS without losing any of the individual packet types:

•

Select Enable Attack Detection.

To filter, or drop, a packet type:

•

Select Filter to the right of the desired
option.

To log a packet type to the Firewall
Event Log:

•

Select Log to the right of the desired
function.

Note

Filtering and logging are independent

operations. You can select either, neither or
both.

To save the new settings:

•

Click Apply.