This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent certain types of traffic that are almost always associated with malicious requests. This category includes requests that have very little use except to attackers who wish to cause a denial of service or perform reconaissance on a particular network in preparation for a future attack.
The first set of signatures in this category are standard requests for transport layer protocols that ask for port 0, and invalid port that can cause errors on servers. A TCP request to port 0, for example, can cause the server to return an error message that includes information about the server, including the version numbers of installed software that can give attackers vital leads on how to design attacks to compromise the machine. A UDP packet to port 0 can cause even more serious problems; some servers crash in response to this packet, causing a denial of service.
This category also detects particular SYN requests that are sent to multicast addresses. SYN requests are a particular TCP request that ask a remote computer to intiate a connection and wait for an acknolwedgement. These requests are used to initiate TCP connections so the computers on both ends are synchronized. Attackers often modify the "source host" field SYN packets to perform a denial of service attack. A computer recieving a forged SYN packet will respond to the computer named in the source host field, initiating a connection that neither computer needed to initiate in the first place. When a flood of these packets are sent to a multicast address, they are forwarded to all of the computers on that address' subnet, causing all of those computers to initiate TCP connections with the computer named as the source host. In addition to choking bandwidth on the subnet used to amplify the signal, this can cause the supposed "source host" computer to run out of connections or crash, disrupting any services that it may provide. This is commonly known as a "smurfing" attack.
Because traffic detected by SonicWALL Bad-Traffic signatures is mostly harmless on its own, these signatures are classified as low priority. However, if administrators recognize that an inordinate amount of this traffic is traversing their network, they can enable the signatures for prevention to cut off imminent attacks.