Unusual traffic
While it is difficult to anticipate what methods a hacker may use in an attempt to infiltrate a network or host, there are a few things that should probably never happen on a normal, healthy network. Due to their usefulness in testing and conveying error conditions, ICMP packets are a likely target for malicious redirection. Since TCP is the predominant transport protocol in use for most applications, you should look out for abnormalities in TCP headers or payloads that could be a sign of malicious intent.
Some examples of abnormalities to look out for are discussed in the following table:
|
Suspicious content |
Description |
|---|---|
|
TCP bad flags |
An illegal or unlikely combination of TCP flags. The SYN, SYN/ACK, ACK, PSH, FIN, and RST flags are normal when they're used in the appropriate places; anything otherwise warrants investigation. |
|
SYN packet contains data |
The initial TCP SYN packet should never contain payload data; it is used to establish a session only. Note, however, that... |
