IBM Support

What kinds of attacks against z/OS Enterprise Extender connections can Intrusion Detection Services protect against?

Question & Answer


Question

We would like to protect our z/OS Enterprise Extender connections against attacks from the network. What kinds of attacks can Intrusion Detection Services (IDS) protect these connections against?

Answer

Intrusion Detection Services (IDS) can protect your Enterprise Extender connections against the following types of attacks:

EE Malformed Packet Specify this attack type to allow IDS to check inbound EE packets to determine whether the packet is malformed.

EE Port Check Specify this attack type to allow IDS to verify the port value of inbound EE packets. If the port values are not correct, IDS flags the packet as a port check attack.

EE LDLC Check Specify this attack type to allow IDS to verify EE LDLC commands. All EE data is sent by using LDLC commands. IDS checks the LDLC type to verify that the packet is received on the correct port.

EE XID Flood Specify this attack type to allow IDS to detect suspicious XID activities and EE XID timeouts. EE XID timeouts might lead to an EE XID flood. When IDS detects an XID timeout, the following series of events occurs:

The local EE endpoint resends the XID reply three times before it fails the activation request and issues a timeout message. An XID flood occurs when the number of inbound XID timeouts is equal to the value of the EEXIDTimeout value in the IDS XID flood attack rule. Each inbound activation XID that is received by VTAM is assigned an available line for the connection. A partner EE that sends an XID and that does not continue activation of the connection will occupy an available line for about 1 minute. A flood of these occurrences can quickly use all available lines. This kind of attack is a denial of service attack. Valid XIDs will fail because a line is not available for the connection request. The EEXIDTimeout value defines a threshold value that specifies the number of XIDs that can time out in 1 minute before IDS detects an EE XID flood. When IDS detects a flood, TCPIP writes a message to the console and to an OMVS file using syslogd (if such a message is required). The XID flood ends when the number of XIDs that are received in 1 minute is below the threshold value. You can enable statistics logging to assist in determining a threshold value. The statistics provide the number of XID timeouts that occurred during the interval and the maximum number of timeouts that occurred in any minute during the interval.

Note: The EE XID flood attack type does not support packet discard. It also does not support writing the packet to the IDS trace, SYSTCPIS.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
19 November 2015

UID

dwa1212770