Support Center > Search Results > SecureKnowledge Details
DDoS Protector Signature Files
Solution

The attack database for the DDoS Protector is a signatures database for the DoS Shield engine that are related to DDoS attacks. The signature file is updated periodically.

To update the DoS shield engine with a new signature file follow this procedure:

  1. Download a new signature file. (Use link in table below)
  2. Browse to the DDoS Protector Web interface.
  3. Select 'DDoS Protector' > 'Attack Database' > 'Send to Device'.
  4. In the File field, type the name of the file, or click "Browse" to navigate to the relevant file.

Tip: If you would like to get notifications on new signature updates, you can subscribe to weekly email notifications on new and updated SecureKnowledge solutions for DDoS Protector by following this URL:

https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.SCNotificationAction&eventSubmit_doRedirectnotificationspage

 

DDoS Protector Signature Files

Name of Update & Link Description
Signature File 482

The following is a list of new attack protections introduced in this update.

  • DDOS-DEMOND-BOT-STD-UDP (RWID 1391)
Refer to: Signature File 482 Release Notes
Signature File 449

The following is a list of new attack protections introduced in this update.

  • Memcached-Server-Reflect (RWID 18286)

  • DDoS-UDP-MEMCACHED-AMP (RWID 1389)
Refer to: Signature File 449 Release Notes
Signature File 440

The following is a list of new attack protections introduced in this update.

  • HTTP-MISC-ZMEU-SCANNER (RWID 18196)

  • DDoS-The-WireX-Botnet-UserAge (RWID 18060)
Refer to: Signature File 440 Release Notes
Signature File 426 The following is a list of attack protections introduced in this update:
  • HTTP-MISC-Slowloris-DOS-Var2 (RWID 18048)

  • DDOS-SSLSQUEEZE-TOOL (RWID 1387)
Refer to: Signature File 426 Release Notes
Signature File 403 The following is a list of attack protections introduced in this update:
  • BotNet-TR069-D1000-Wfi-CE (RWID 17614)

  • TR069-D1000-Wfi-CookieWifi-CE (RWID 17616)

  • HTTP-MISC-MaLIoT-flood-DOS (RWID 17644)

  • DDOS-Mirai-STOMP-flood (RWID 1379)

  • DDOS-Mirai-GRE-ethr-flood (RWID 1381)

  • DDOS-Mirai-UDP-DEF-flood (RWID 1383)

  • DDOS-MaLIoT-HTTP-flooda (RWID 1373)

  • DOSS-CLDAP-Reflection-p1 (RWID 1385)
Refer to: Signature File 403 Release Notes
Signature File 382 The following is a list of attack protections removed in this update:
  • DDOS-MaLIoT-HTTP-flooda (RWID 1373)

  • DDOS-Pylors-tool-SSL-flood (RWID 1377)
Refer to: Signature File 382 Release Notes
Signature File 381 The following is a list of new attack protections introduced in this update.
  • DoS-Tool-Pyloris-HTTP-flood41 (RWID 17592)

  • ICMP-BlackNurse-Attack (RWID 1375)

  • DDOS-Pylors-tool-SSL-flood (RWID 1377)
Refer to: Signature File 381 Release Notes
Signature File 380 The following is a new attack protection introduced in this update.
  • DoS-Tool-Pyloris-HTTP-Flood (RWID 17590)
Refer to: Signature File 380 Release Notes
Signature File 358 The following is a list of new attack protections introduced in this update.
  • DoS-Tool-Anonyms-Doser-POST (RWID 17250)

  • DoS-Tool-DOS3r-Doser-postOrG (RWID 17252)
Refer to: Signature File 358 Release Notes
Signature File 350  The following is a new attack protection introduced in this update.
  • HTTP-MISC-SlowhttpTestGit-DoS RWID 17304)
Refer to: Signature File 350 Release Notes
Signature File 340 The following is a new attack protection introduced in this update.
  • RDv4-DoS-Tool-UDP80-uflodder (RWID 17132)
Refer to: Signature File 340 Release Notes
Signature File 339 The following is a new attack protection introduced in this update.
  • HTTP-MISC-Tool-nuclear-ddossD (RWID 17144)
Refer to: Signature File 339 Release Notes
Signature File 338 The following is a list of new attack protections introduced in this update.
  • DoS-Tool-Revolution_DoS80-US (RWID 17128)

  • DoS-Tool-Revolution_DoS80-RU (RWID 17130)
Refer to: Signature File 338 Release Notes
Signature File 334 The following is a list of new attack protections introduced in this update.
  • DoS-Tool-Nuclear-DDoSser-POST (RWID 17142)

  • DoS-Tool-Nuclear-DDoSser-GET (RWID 17146)

  • DoS-Tool-Gala-httpflood-POST (RWID 17158)
Refer to: Signature File 334 Release Notes
Signature File 333 The following is a list of new attack protections introduced in this update.
  • ServerFlooder-DoS-Tool-UDP80 (RWID 17122)

  • DoS-Tool-Revolution_DoS80-HH (RWID 17124)

  • DoS-Tool-Revolution_DoS80-UU (RWID 17126)
Refer to: Signature File 333 Release Notes
Signature File 330 The following is a new attack protection introduced in this update.
  • DNS-ISC-BIND-TKEY-Queri-Fail (RWID 17054)
Refer to: Signature File 330 Release Notes
Signature File 319

The following signature was modified to improve accuracy:

DOSS-DNS-Ref-Above_30_Answers (RWID 1349) (Assigned to Group:Floods)

Signature File 316

HTTP-MISC-AnonGhost-DOS-6 (RWID 16844)

'Anonghost ddos' is a Denial-of-Service tool based on Slowloris tool that aims to exploits a vulnerability in certain web servers. Denial of service vulnerabilities occur due to various kinds of software bugs and design flaws, which when exploited, can result in a loss of service to users. This vulnerability occurs by opening many uncompleted request to web server. The uncompleted request allocate resources from the server which eventually leads to starvation and denial of service.

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 311

DOS-WEB-HULK-improved (RWID 16808)

HULK is a flooding tool. A flooding tool generates a mass amount of traffic in order to utilize network or application resources, resulting in degradation and even loss of service to legitimate users. The tool runs on various browsers and generates a mass amount of HTTP requests.

This signature identifies anomalies found in the HTTP header used by the flooder.

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 309 The following is a list of new attack protections introduced in this update.
  • Anomaly-TLS11-renegotiationCL (RWID 16850)

  • Anomaly-TLS12-renegotiationCL (RWID 16852)
Refer to: Signature File 309 Release Notes
Signature File 304

HTTP-MISC-DosTool-ExAttack (RWID 16706)

Anonymus Extrenal Attack tool is a DoS tool which sent a lof of UDP null bytes. Denial of service vulnerabilities occur due to various kinds of software bugs and design flaws, which when exploited, can result in a loss of service to users. This tool send a lot of UDP packets with \x00 payload to port 80.

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 297

DOS-Tool-SwitchbladG (RWID 16676)

Switchblade tool is a DoS tool for testing web server against simple DoS attacks (https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool).

Denial of service vulnerabilities occur due to various kinds of software bugs and design flaws, which when exploited, can result in a loss of service to users. This DoS tool may cause denial of service to the HTTP engine by sending slow HTTP POST and GET HEADER requests.

This signature identifies attack traffic coming from Switchblade tool by detecting spesific user-agent and its Header's length.

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 291

HTTP-Triple-Headers-Flood-1 (RWID 15332)

Triple Headers Flood is a flood attack. A flood attack is a massive amount of traffic that is generated to use network or application resources, resulting in the degradation or even loss of service to legitimate users. One popular scenario of a flood attack is the distributed denial-of-service (DDoS) attack. In this scenario, the traffic is generated from numerous hosts, usually by a malicious agent installed on the host. This flood is characterized by Triple HTTP headers sent in the request. This kind of traffic, above a certain threshold, indicates a flood.

The following services are known to be vulnerable to this kind of attack:

  • HTTP Web Server
  • HTTPS Web Server

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 286

DOS-Telnet-AreYouThere-BO (RWID 16616)

Telnet Server is vulnerable to a buffer overflow attack (CVE-2015-0014). Buffer overflow vulnerabilities occur due to programming errors within input validation routines or their absence. Such vulnerabilities can be exploited by diverting the affected application's path of execution to execute arbitrary code. If exploited successfully, this vulnerability could result in a compromise of the affected system, which in turn could be used as a standing-ground for further attacking internal resources.

An attacker can send 250 AreYouThere functions to a vulnerable server which smash a stack return address and crash the application.

The following signature protects against a buffer overflow in Microsoft Windows Server 2003 SP2, Vista SP2, Server 2008 SP2 and R2 SP1,7 SP1, 8, 8.1, Server 2012 Gold and R2 (CVE-2015-0014).

References:

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 281

DOSS-UDP-flood-80-Res (RWID 1363)

UDP port 80 flood. A flood attack is a massive amount of traffic that is generated to use network or application resources, resulting in the degradation or even loss of service to legitimate users.

DOSS-UDP-flood-80-Req (RWID 1361)

UDP port 80 flood. A flood attack is a massive amount of traffic that is generated to use network or application resources, resulting in the degradation or even loss of service to legitimate users.

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.
Signature File 274

DOSS-Tsunami-SYN-Flood

The idea behind the attack is that SYN packets - which are easy to generate - consume resources form TCP stacks and stateful devices. Those resources can be consumed quickly and then cause a denial-of-service (DoS).

With a SYN flood each packet tries to disguise itself as a legitimate SYN packet and is therefore very small and doesn't contain data.

In this attack the SYN packets are not empty. The SYN packets contain data - about 1000 bytes per packet, and therefore the bandwidth footprint of these attacks is enormous.

An entire network range was hit, with the size of the attack reaching 4-5Gbps. Thus, this new type of SYN flood attack is more likely to saturate the internet pipe of the victim.

Recommended Solutions: In order to protect against this anomaly the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Make sure the following mechanisms are enabled:
    • SYN Protection
    • BDOS – SYN Flood Protection
  • Update the signature-threshold values according to your network profile.
Signature File 262

DOS-HTTP-torshammer (RWID 16506)

Multiple HTTP engines are vulnerable to a denial of service attack. Denial of service vulnerabilities occur due to various kinds of software bugs and design flaws, which when exploited, can result in a loss of service to users. This vulnerability may cause denial of service to the HTTP engine. This vulnerability occurs due to segmented POST data packets sent with very small payload size for a very large content length request, and thus exhaust the resources of the HTTP engine causing denial of service.

This signature identifies attack traffic coming from a python based tool called "Torshammer" and is available on the net. The traffic is dropped per packet and not per DoS identification.

DOS-UDP-fireflood (RWID 16510)

Fireflood is an HTTP and UDP flooding tool. A flooding tool generates a mass amount of traffic in order to utilize network or application resources, resulting in degradation and even loss of service to legitimate users. The tool runs on Windows and sends a large number of UDP packets to port 80 of a web server.

The following services are known to be vulnerable to this kind of attack:

  • All web servers

Recommended Solutions: In order to protect against this vulnerability the following steps should be taken:

  • Update your DDoS Protector device with the latest signature file.
  • Ensure that the mentioned above signature group exists in the active protection profile.
  • Update the signature-threshold values according to your network profile.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment