MAD is Malicious Activity Detection, a process that runs on the Management server and will periodically review the logs to find suspicious behaviour. (Multiple auth failures, port scan, syn and land attacks.)
MAD detects/defends:
- Syn-Attacks
- Spoofing attempts (for local interfaces, too)
- portscan detection
- blocked ports scan detection
- login failures
- fast repeated connects
- land attacks
MAD land attack
It is CPMAD that tell you it sees a land attack. Check the cpmad_config.conf file (in $FWDIR/conf) and you should find line containing _land_attck_ in it. A land attack sends out just one SYN packet in which the sending device IP address has been replaced with the address of the destination, meaning that it tries to answer to it's own, resulting in loop backed packets ... slowing down the server.
MAD configuration
The configuration of Checkpoint's Malicious Activity Detection System is done through the file $FWDIR/conf/cpmad_config.conf. For Information on how use the variables in the file, take a look in the EntGS.pdf file located on the installation CD-rom (v4.1).
MAD detects/defends:
- Syn-Attacks
- Spoofing attempts (for local interfaces, too)
- portscan detection
- blocked ports scan detection
- login failures
- fast repeated connects
- land attacks
MAD land attack
It is CPMAD that tell you it sees a land attack. Check the cpmad_config.conf file (in $FWDIR/conf) and you should find line containing _land_attck_ in it. A land attack sends out just one SYN packet in which the sending device IP address has been replaced with the address of the destination, meaning that it tries to answer to it's own, resulting in loop backed packets ... slowing down the server.
MAD configuration
The configuration of Checkpoint's Malicious Activity Detection System is done through the file $FWDIR/conf/cpmad_config.conf. For Information on how use the variables in the file, take a look in the EntGS.pdf file located on the installation CD-rom (v4.1).
No comments:
Post a Comment