Using Traffic Monitor Graphs : Using the Anomaly Drops graphs : Using the Anomaly Drops TCP State Anomalies graph
 
Using the Anomaly Drops TCP State Anomalies graph
You use the TCP State Anomalies graph to monitor drops due to suspicious TCP session traffic. Protocols such as TCP are stateful. They follow predefined state transition rules. When scripted bots generate attacks, they violate many of these rules. Examples of such attacks are ACK packets coming without connection establishment, or packets that are out of the TCP window. Table 47 summarizes the statistics displayed in the TCP State Anomalies graph. Figure 61 show the graph.
You can customize the following query terms: SPP, period, direction.
Before you begin:
You must have Read-Write permission for Log & Report settings.
To display the graphs:
Go to Monitor > Anomaly Drops > TCP State Anomalies.
Table 47: Anomaly Drops: TCP State Anomalies
Statistic
Description
Forward Transmission Not Within Window
Drops due to packets outside the receiver’s TCP or UDP windows (when the Protection Profiles > SPP Settings > TCP session feature control seq-validation option is enabled).
Reverse Transmission Not Within Window
Drops due to packets outside the receiver’s TCP or UDP windows (seq-validation).
TCP State Transition
Drops due to packets that violate the TCP Protocol state transition rules or sequence numbers (state-transition-anomalies-validation).
Foreign Packets
Drops due to packets that do not belong to a known TCP connection (foreign-packet-validation). For example, when the system receives a packet for a connection that has not been established with a SYN exchange.
 
Figure 61: Anomaly Drops: TCP State Anomalies