Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

L3ANOMALY - L3 Network Anomaly

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

The detection method reveals traffic anomalies on the third (network) layer. The first part detects situations in which the source or destination IP address of the communicating parties is not from our legitimate internal networks (additional info is available in RFC 2827). The second part reports the flows with broadcast or multicast source IP addresses. The third one detects packets with identical source and destination IP addresses. Both IPv4 and IPv6 protocols are supported.

The InternalNetworks filter specifies the IP address range of the allowed internal network. It is important for the first part of the detection (IP spoofing). Enabling the IgnoreBroadMulticast parameter inhibits the detection of IP spoofing for the flows with a multicast or broadcast destination IP address. The flows with the link-local IP addresses and zero network broadcasts are excluded from the detection of IP spoofing by default.

This method consists of the following submethods:

  • IPSpoof: Reports spoofing of the source IP address. The detection is based on a user-defined list of known internal IP segments.

  • SourceMulticast: Reports packets with multicast source IP address.

  • SameIPs: Reports packets with the same source and destination IP addresses.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network regardless of IP addresses. The right place for traffic monitoring is the Internet connection line or the central switch (with the option InternalNetworks turned on).

Method parameters

General

  • InternalNetworks: Name of the filter that defines all IP addresses of the monitored network.

IPSpoof

  • IgnoreBroadMulticast: Omission of connections with the broadcast or multicast destination IP address during the IPSpoof detection.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

The communication of IP addresses outside the scope of local networks may indicate IP spoofing or an attempt to modify IP headers. If there are flows with incorrect IP addresses (broadcast or multicast source IP address or the same source and destination IP address), it could be an attack on some implementation issue of the TCP/IP stack of network equipment.

TitleResults for “How to create a CRG?”Also Available inAlert