Network Security Overview; Anomalies - Alcatel-Lucent OmniSwitch 6850-48 Network Configuration Manual

Network Security Overview

Network Security Overview
Network Security detects the anomalies in the network traffic by monitoring the difference in the rate of
ingress and egress packets on a port, matching a specific traffic pattern. The Network Security software
monitors these packets at configured intervals, counts the packets matching certain patterns, and applies
anomaly detection rules. If anomalies are detected, then it is reported through a syslog and/or an SNMP
trap and/or the anomalous port is shut down.
The Network Security features include the following:
•
Real-time network traffic monitoring
•
Dynamic anomaly detection
•
Dynamic anomalous port quarantining

Anomalies

A network traffic anomaly refers to deviations in the rates of a user-port's ingress and egress packets from
expectations. The anomalies are monitored in the network by observing the network's traffic for a config-
urable time period. During this period, the Network Security counts relevant packets on a port. Anomalies
may occur in scenarios, such as the following:
•
When a high number of TCP SYN packets are not expected from a user-port in a short period.
•
When more than one ARP response is received for every ARP request.
•
When a high number of TCP RST packets are not expected in a network in a short period.
The above listed scenarios occur in a network due to malicious systems in the network, or when a network
is attacked or misconfigured.
Network Security detects the following anomalies:
Anomaly
ARP Address Scan
ARP Flood
ARP Failure
ICMP Address Scan
ICMP Flood
ICMP Unreachable
TCP Port Scan
TCP Address Scan
SYN Flood
SYN Failure
SYN-ACK Scan
page 47-4
Description
Occurs when a host sends a burst of ARP requests for multiple IP
addresses.
Occurs when a host receives a burst of ARP request packets.
Occurs when ARP queries do not elicit ARP responses.
Occurs when multiple hosts receive ICMP echo request packets at the
same time.
Occurs when a host receives a burst of ICMP echo request packets.
Occurs when a host receives a flood of ICMP Unreachable packets.
Occurs when a host receives a burst of TCP SYN packets for multiple
TCP ports.
Occurs when multiple hosts receive TCP SYN packets at the same
time.
Occurs when a host receives a burst of TCP SYN packets on the same
TCP port.
Occurs when a host receives fewer SYNACKs than SYNs it sent out.
Occurs when a host receives more SYNACKs than SYNs it sent out.
OmniSwitch AOS Release 6 Network Configuration Guide
Configuring Network Security
September 2009