Protection Against Scans, Spoofs, and Sweeps
Attackers often perform address sweeps and/or port scans to gain targeted information about a network. After they have identified trusted addresses or ports, they might launch an attack against the network by spoofing a trusted IP address. To protect targets in the zone from sweeps, scans, and spoofing attempts, configure the detection and blocking settings as described in Table 1.
Table 1: Detection and Blocking Settings
Detection and Blocking Settings
IP Address Spoof Protection
Attackers can insert a bogus source address in a packet header to make the packet appear to come from a trusted source. When the interfaces in the zone operate in Route or NAT mode, the security device relies on route table entries to identify IP spoofing attempts. When the interfaces in the zone operate in Transparent mode, the security device relies on address book entries to identify IP spoofing attempts.
IP Address Sweep Protection
An address sweep occurs when one source IP address sends 10 ICMP packets to different hosts within a defined interval. If a host responds with an echo request, attackers have successfully discovered a target IP address. You can configure the security device to monitor ICMP packets from one remote source to multiple addresses. For example, if a remote host sends ICMP traffic to 10 addresses in 0.005 seconds (5000 microseconds), the security device rejects the 11th and all further ICMP packets from that host for the remainder of that second.
Port Scan Protection
A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). If a port responds with an available service, attackers have discovered a service to target. You can configure the security device to monitor TCP SYN segments from one remote source to multiple addresses. For example, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), the security device rejects all further packets from the remote source for the remainder of that second.