WS-SW-FIREWALL-MIB: View SNMP OID List / Download MIB

MIB for DoS Attacks configuration and L2/L3 firewall configurations and firewall config for WLAN implemented for bridge level attack detection/mitigation feature and statistics related to it.

Maximum number of half-open TCP connections in the system after which firewall will start intercepting TCP connections. The configured value will be used by TCP Intercept DoS Attack check to handle SYN Flood Attack.

Maximum number of half-open TCP connections in the system after which firewall will stop intercepting TCP connections. The configured value will be used by TCP Intercept DoS Attack check to handle SYN Flood Attack.

Enable all DOS checks.

Disable all DOS checks.

Re-set all the DOS stats in the wsSwFirewallDosStatsTable.

Currently wsSwFirewallDoSChecksTable is handling the following configurable DoS Attacks: 1. Smurf DoS Attack: Enable this check in the firewall to drop ICMP echo packets destined to a broadcast IP address. Attackers use this type of packet to bring down a target host by spoofing its IP address and flooding it with ICMP echo responses. 2. Twinge DoS Attack: Enable this check in the firewall to drop false ICMP control packets going through the wirless switch. 3. Invalid IP Protocol DoS Attack: Enable this check in firewall to deny packets with invalid IP protocol value in the IP header. Some applications can use non-assigned IP protocol numbers to send malicious packets. 4. Ascend DoS Attack: Protocol is UDP, destination port is 9, UDP packet is mal-formed. 5. Chargen DoS Attack: The attack consists of a flood of UDP datagrams sent to the subnet broadcast address with the destination port set to 19 (chargen) and a spoofed source IP address. 6. Fraggle DoS Attack: When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast addresses, all of it having a fake source address 7. ICMP Router Solicit DoS Attack: If the packet received from the network is an ICMP packet type 10 then its an ICMP router discovery messages called Router Solicitations. 8. ICMP Router Advertisement DoS Attack: Enable this check in firewall to drop route advertisement packets. Route advertisements are used by neighboring hosts to configure their route table. These messages can be used by attackers to configure routes on hosts to re-direct traffic. 9. IP Source Route Option DoS Attack: Enable this check in firewall to drop packets with source route option set in IP header. 10. Snork DoS Attack: Enable this check in firewall to deny UDP or TCP packets with destination port set to 135 and source port set to either 7,19 or 135. This can cause packets to be exchanged indefinitely between the two hosts causing them to slow down. 11. FTP Bounce DoS Attack: Enable this check in firewall to drop FTP packets if the IP address encoded in the PORT command does not match the IP address of the FTP client. 12.TCP Intercept DoS Attack: Enable / disable TCP packet interception. This should be enabled for protection against TCP SYN flood attacks. 13. Bcast/Mcast Icmp DoS: By default we consider bcast-mcast ICMP as DoS and drop the packets.

An entry in the wsSwFirewallDoSChecksTable.

The Check type for handling the respective DoS Attack. Enumeration: 'bcastMcastIcmp': 13, 'fraggle': 6, 'ipSourceRoute': 9, 'invalidIPProtocol': 3, 'ascend': 4, 'snork': 10, 'ftpBounce': 11, 'twinge': 2, 'tcpIntercept': 12, 'icmpRouterSolicit': 7, 'chargen': 5, 'icmpRouterAdvt': 8, 'smurf': 1.

Status of respective DoS Attack check, True for being enabled and False for being disabled.

The Current log level for the respective DoS Attack check. The Default is warning(5) and user can modify as per his requirement. Changing the log level will allow the user to enable logging for the respective DoS check to happen at desried level of system logging. Note: setting log level to none(9) will disable the logging even though the check is enabled. Enumeration: 'info': 7, 'notice': 6, 'err': 4, 'none': 9, 'alert': 2, 'crit': 3, 'emerg': 1, 'debug': 8, 'warning': 5.

This Table shows the stats related to each kind of DoS attacks supported by the switch, few of them can be configured in the wsSwFirewallDoSChecksTable. 1. Smurf DoS Attack: ICMP echo packets destined to a broadcast IP address. Attackers use this type of packet to bring down a target host by spoofing its IP address and flooding it with ICMP echo responses. 2. Twinge DoS Attack: False ICMP control packets going through the wireless switch. 3. Invalid IP Protocol DoS Attack: Packets with invalid IP protocol value in the IP header. Some applications can use non-assigned IP protocol numbers to send malicious packets. 4. Ascend DoS Attack: Protocol is UDP, destination port is 9, UDP packet is mal-formed. 5. Chargen DoS Attack: The attack consists of a flood of UDP datagrams sent to the subnet broadcast address with the destination port set to 19 (chargen) and a spoofed source IP address. 6. Fraggle DoS Attack: When a perpetrator sends a large number of UDP echo (ping) traffic at IP broadcast addresses, all of it having a fake source address 7. ICMP Router Solicit DoS Attack: If the packet received from the network is an ICMP packet type 10 then its an ICMP router discovery messages called Router Solicitations. 8. ICMP Router Advertisement DoS Attack: Route advertisements are used by neighboring hosts to configure their route table. These messages can be used by attackers to configure routes on hosts to re-direct traffic. 9. IP Source Route Option DoS Attack: Packets with source route option set in IP header. 10. Snork DoS Attack: UDP or TCP packets with destination port set to 135 and source port set to either 7,19 or 135. This can cause packets to be exchanged indefinitely between the two hosts causing them to slow down. 11. FTP Bounce DoS Attack: FTP packets if the IP address encoded in the PORT command does not match the IP address of the FTP client. 12. TCP Intercept DoS Attack: TCP SYN flood attacks. 13. Bcast/Mcast Icmp DoS: By default we consider bcast-mcast ICMP as DoS and drop the packets. 14. TCP Header Fragmented DoS Attack: TCP packets if the TCP header spans across IP fragments. 15. WINNUKE DoS Attack: Out of band data to the target computer on TCP port 139 (NetBIOS), 16. LAND DoS Attack: The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination. 17. UDP Short Header DoS Attack: A UDP header is a minimum of 8-bytes long. However, some systems (like BeOS) will crash when they receive UDP traffic with header length less than eight 18. TCP Bad Sequence DoS Attack: These types of attack are usually man-in-the-middle attacks where the attacker injects a packet with invalid sequence number to terminate the connection. 19. TCP FIN Scan DoS Attack: It attempts to close a non-existent connection on the server. Either way, it is an error, but systems sometimes give back different error results depending upon whether the desired service is available or not. As a result, the attacker doesn't trigger the normal logging of the system. However, this type of scan does result in weird network traffic. 20. TCP NULL Scan DoS Attack: A TCP frame with a sequence number of zero and all control bits are set to zero. 21. TCP XMAS Scan DoS Attack: A TCP frame with a sequence number of zero and the FIN, URG, and PUSH bits are all set. 22. TCP Post SYN Scan DoS Attack: This attack is caused when an attacker tries to send TCP packet with SYN flag set after the connection is established. 23. IP TTL zero DoS Attack: An IP packet set with ttl zero leading the packet to be dropped before reaching its destination. 24. IP Spoof DoS Attack: IP datagram is treated as spoofed if the source IP address does not belong to the subnet from where the packet arrived. Most of the DoS attacks use spoofed IP addresses so that it is difficult to trace the origin of the attack.

An entry in the wsSwFirewallDoSStatsTable.

The Check type for handling the respective DoS Attack. Enumeration: 'ftpBounce': 11, 'bcastMcastIcmp': 13, 'ipTtlZero': 23, 'ascend': 4, 'icmpRouterSolicit': 7, 'icmpRouterAdvt': 8, 'tcpNullScan': 20, 'tcpBadSequence': 18, 'fraggle': 6, 'tcpXmasScan': 21, 'winnuke': 15, 'tcpIntercept': 12, 'tcpFinScan': 19, 'invalidIPProtocol': 3, 'ipSpoof': 24, 'tcpPostSynScan': 22, 'twinge': 2, 'udpShortHdr': 17, 'land': 16, 'ipSourceRoute': 9, 'snork': 10, 'tcpHeaderFragment': 14, 'chargen': 5, 'smurf': 1.

The count of the number of attacks seen.

The last occurrence of the attack.

Physical/aggregate port interface configuration for ARP rate-limiting/ARP Spoof Detection and bcast/mcast/ucast storm suppression. Maximum permissible rate of ARP packets per interface is configured in terms of ARP packets/s. When the configured threshold is crossed, a warning is posted to the console through syslog. Interfaces are configured to be DHCP trusted or ARP trusted. DHCP responses coming from DHCP trusted interfaces are used for building the trusted IP-MAC binding table. ARP messages coming through ARP trusted interfaces are not subjected to ARP spoof checking.

L2 Fw interface level configuration table for ARP spoof detection and ARP rate limiting

layer2 interface name on which ARP Limit/DHCP trust/ARP trust is configured. For eg names like ge1-ge4 and sa1-sa4

ARP Rate Limit set in packets/second through this interface. Interface refers to physical/aggregate port interfaces.

State of DHCP trust on this interface.

State of ARP trust on this interface.

High threshold for broadcast packets coming in from this physical/aggregate interface

High threshold for multicast packets coming in from this physical/aggregate interface

High threshold for unicast packets coming in from this physical/aggregate interface

Description.

Per wlan configuration table for b/m/u cast storm suppression,ARP spoof detection and rogue MU detection Bcast/Mcast/Ucast Storm Suppression. A high threshold and a low threshold is configured per wlan, in IN direction.When the rate of b/m/u cast packets exceeds the high threshold configured for a wlan, all packets are throttled till the rate falls below the configured rate. When the rate of b/m/u cast packets exceeds the configured threshold, a warning is posted to the console if logging is enabled. Thresholds are configured in terms of packets/second. ARP spoof Detection Marking DHCP and ARP trust on wlan indices for ARP spoof detection Rogue MU Detection MUs pumping denied traffic are either de-authentiacted or a warning posted through syslog based on a user configurable per wlan threshold of allowed MU denies per second. It's not necessary that the MU hit the same deny rule for triggering the action. It's the cumulative number of denials within the specified period that leads to the action. Logging of the event is a must, though deauthentication is optional.

Wlan level configuration table for ARP spoof detection,ARP rate limiting Bcast storm suppression and Rogue MU traffic detection

Wlan index on which to set l2fw configurations.

High Level threshold for broadcast packets coming from a WLAN

High Level threshold for multicast packets coming from a WLAN

High Level threshold for packets having unknown unicast address as destination coming from a WLAN

Permissble rate of denies for a mobile-unit in the wlan This is counted in terms of denied/packets/second from that MU

Option to de-authenthenticate the MU on hitting the threshold value configured.

DHCP trust state on this wlan.

ARP trust state on this wlan.

ARP rate-limit threshold specified in ARPpackets/second unit.

Description.

Dynamic IP-MAC binding table built up on the basis of DHCP Server responses

IP-MAC Binding Table Entry

Simple index number of snoop entries

Description. IP address of the client

Vlan id of the client

MAC address of the client

The snoop entry can be a combination of the following bits.Valid combinations are client-router, server-router, client-router-vrrp, client-router-hsrp, server-router-vrrp, server-router-hsrp, client, router, server, vrrp-router, hsrp-router. If none of the bits are set, it's the switch svi Bits: 'router': 0, 'dhcpclient': 1, 'vrrp': 3, 'dhcpserver': 2, 'hsrp': 4.

Lease time for the binding entry

Name of Port/Wlan through which packet from this entity ingresses.(eg: ge1, wlan1)

Enable Logging when ARP ratelimit is exceeded

Enable logging when broadcast rate-limit is exceeded

Enable logging when multicast ratelimit is exceeded

Enable logging when unicast ratelimit is exceeded

Description.

Description.