Portscan Detection and Prevention
Types of Detection
The following are the types of portscan activities that can block hosts detecting them.
-
Regular portscan—A one-to-one portscan in which an attacker uses a host to scan multiple ports on a single target host. This option detects TCP, UDP, and IP portscans.
-
Decoy portscan—A one-to-one portscan in which the attacker mixes spoofed source IP addresses with the actual scanning IP address. The decoy portscan option detects TCP, UDP, and IP protocol portscans.
-
Distributed portscan—A many-to-one portscan in which multiple hosts query a single host for open ports. This is used to evade port scan detection as all the requests when sourced from multiple hosts might look legitimate. The distributed portscan option detects TCP, UDP, and IP protocol portscans.
-
Port sweep—A one-to-many portsweep in which an attacker uses one or a few hosts to scan a single port on multiple target hosts. This usually happens for new exploits and the attacker is looking for a specific service. This option detects TCP, UDP, ICMP, and IP portsweeps.
Note |
Regular, decoy, and distributed portscans are not categorized and alerted as regular portscan activity. |
Traffic Selection
-
You can choose portscan detection for Permitted, Denied, or All traffic. By default, portscan detection occurs for all the traffic in a selected category.
-
You can specify the networks to be monitored for portscan activity. Within the monitored network, you can exempt certain hosts from being identified as scanners.
-
You can also exempt all traffic that is designed to target hosts from portscan detection.
-
Portscan detection is supported for both IPv4 and IPv6 traffic.
Detection Configuration
The following are the detection configuration options:
-
Configuration options:
-
Protocol types: TCP, UDP, IP, and ICMP
-
Port count: Number of ports accessed for TCP and UDP based scans
-
Host count: Number of hosts accessed for TCP, UDP, and ICMP based scans
-
Protocol count: Number of protocols used for IP protocol scan
-
Interval: Time interval
-
-
Predefined sensitivity levels—You can tune portscan detection using the following sensitivity levels:
-
Low—Detects only negative responses from targeted hosts. Select this sensitivity level to suppress false positives, but remember that some types of portscans (slow scans, filtered scans) might be missed.
This level uses the shortest time window for portscan detection.
-
Medium—Detects portscans based on the number of connections to a host, so you can detect filtered portscans. However, very active hosts such as network address translators and proxies may generate false positives.
By default, sensitivity level is set to Medium.
This level uses a longer time window for portscan detection.
-
High—Detects portscans based on a time window, which means that you can detect time-based portscans. This level uses a much longer time window for portscan detection.
-
Custom—Used to customize sensitivity levels. If you edit existing, preconfigured sensitivity levels, the Custom option is automatically selected.
-
-
You can finetune the thresholds and also enable or disable different types of scans.
Prevention Configuration
For configuring prevention, the following are the options:
-
You have the option to block a host that has been identified to be performing portscan activity.
-
Duration-based block with automatic unblocking of host after duration expires.
-
You can exempt hosts from being blocked due to portscan activity.
For more information about configuring portscan detection and prevention, see Configure Portscan Detection and Prevention.