Using the Anomaly Drops Layer 4 Header Anomalies graph
You use the Layer 4 Header Anomalies graph to monitor drops due to suspicious Layer 4 headers. Layer 4 anomalies are typically generated by scripts. Scripts use loops to increment specific header parameters. Since many of these header parameter values are not valid from a standards perspective, they are anomalous. Examples of these attacks are packets with invalid TCP flag combinations. If a packet has flags such as RST, FIN, SYN, and ACK set simultaneously, it is anomalous.
Table 47 summarizes the statistics displayed in the Layer 4 Header Anomalies graph.
Figure 60 shows the graph.
You can customize the following query terms: SPP, period, direction.
Before you begin:
• You must have Read-Write permission for Log & Report settings.
To display the graphs:
• Go to Monitor > Anomaly Drops > Layer 4 Header Anomalies.
Table 47: Anomaly Drops: Layer 4 Header Anomalies
Statistic | Description |
TCP Checksum Error | Drops due to checksum errors. |
UDP Checksum Error | Drops due to checksum errors. |
ICMP Checksum Error | Drops due to checksum errors. |
TCP Invalid Flag Combination | Drops due to invalid flag combinations, such as SYN/RST. |
Anomaly Detected | Drops due to Layer 4 anomalies, including: • Other header anomalies, such as incomplete packet • Urgent flag is set then the urgent pointer must be non-zero • SYN or FIN or RST is set for fragmented packets • Data offset is less than 5 for a TCP packet • End of packet is detected before the 20 bytes of TCP header • EOP before the data offset indicated data offset • Length field in Window scale option other than 3 in a TCP packet • Missing UDP payload • Missing ICMP payload |
