Technical Documentation

Downloads
Protection Against Scans, Spoofs, and Sweeps

Protection Against Scans, Spoofs, and Sweeps

Attackers often perform address sweeps and/or port scans to gain targeted information about a network. After they have identified trusted addresses or ports, they might launch an attack against the network by spoofing a trusted IP address. To protect targets in the zone from sweeps, scans, and spoofing attempts, configure the detection and blocking settings as described in Table 1.

Table 1: Detection and Blocking Settings

Detection and Blocking Settings	Description
IP Address Spoof Protection	Attackers can insert a bogus source address in a packet header to make the packet appear to come from a trusted source. When the interfaces in the zone operate in Route or NAT mode, the security device relies on route table entries to identify IP spoofing attempts. When the interfaces in the zone operate in Transparent mode, the security device relies on address book entries to identify IP spoofing attempts. To enable interface-based IP spoofing protection, configure the security device to drop packets that have source IP addresses that do not appear in the route table. To enable zone-based IP spoofing protection (supported on devices running ScreenOS 5.2), configure the security device to drop packets whose source IP addresses do not appear in the selected zone. If you are routing traffic between two interfaces in the same zone, you should leave this option disabled (unchecked).
IP Address Sweep Protection	An address sweep occurs when one source IP address sends 10 ICMP packets to different hosts within a defined interval. If a host responds with an echo request, attackers have successfully discovered a target IP address. You can configure the security device to monitor ICMP packets from one remote source to multiple addresses. For example, if a remote host sends ICMP traffic to 10 addresses in 0.005 seconds (5000 microseconds), the security device rejects the 11th and all further ICMP packets from that host for the remainder of that second.
Port Scan Protection	A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). If a port responds with an available service, attackers have discovered a service to target. You can configure the security device to monitor TCP SYN segments from one remote source to multiple addresses. For example, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), the security device rejects all further packets from the remote source for the remainder of that second.

Detection and Blocking Settings

Description

IP Address Spoof Protection

Attackers can insert a bogus source address in a packet header to make the packet appear to come from a trusted source. When the interfaces in the zone operate in Route or NAT mode, the security device relies on route table entries to identify IP spoofing attempts. When the interfaces in the zone operate in Transparent mode, the security device relies on address book entries to identify IP spoofing attempts.

To enable interface-based IP spoofing protection, configure the security device to drop packets that have source IP addresses that do not appear in the route table.
To enable zone-based IP spoofing protection (supported on devices running ScreenOS 5.2), configure the security device to drop packets whose source IP addresses do not appear in the selected zone. If you are routing traffic between two interfaces in the same zone, you should leave this option disabled (unchecked).

IP Address Sweep Protection

An address sweep occurs when one source IP address sends 10 ICMP packets to different hosts within a defined interval. If a host responds with an echo request, attackers have successfully discovered a target IP address. You can configure the security device to monitor ICMP packets from one remote source to multiple addresses. For example, if a remote host sends ICMP traffic to 10 addresses in 0.005 seconds (5000 microseconds), the security device rejects the 11th and all further ICMP packets from that host for the remainder of that second.

Port Scan Protection

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). If a port responds with an available service, attackers have discovered a service to target. You can configure the security device to monitor TCP SYN segments from one remote source to multiple addresses. For example, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), the security device rejects all further packets from the remote source for the remainder of that second.

Technical Documentation

Protection Against Scans, Spoofs, and Sweeps

Published: 2009-08-20