Configuring TCP Port Scan Attack Screen
This topic describes how to configure detection of a TCP port scan attack.
A port scan occurs when one source IP address sends an IP packet containing TCP SYN segments to a defined number of different ports at the same destination IP address within a defined interval.
To enable detection of a TCP port scan attack:
- Configure interfaces and assign an IP address to interfaces.
[edit] user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.0.2.0/24 user@host# set interfaces ge-0/0/3 unit 0 family inet address 198.51.100.0/24
- Configure security zones
trustZone
anduntrustZone
and assign interfaces to them.[edit] user@host# set security zones security-zone trustZone host-inbound-traffic system-services all user@host# set security zones security-zone trustZone host-inbound-traffic protocols all user@host# set security zones security-zone trustZone interfaces ge-0/0/1.0 user@host# set security zones security-zone untrustZone host-inbound-traffic system-services all user@host# set security zones security-zone untrustZone host-inbound-traffic protocols all user@host# set security zones security-zone untrustZone interfaces ge-0/0/3.0
- Configure security policies from
untrustZone
totrustZone
.[edit] user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match source-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match destination-address any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 match application any user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then permit user@host# set security policies default-policy deny-all
- Configure security screens and attach them to
untrustZone
.[edit] user@host# set security screen ids-option untrustScreen tcp port-scan user@host# set security screen ids-option untrustScreen alarm-without-drop user@host# set security zones security-zone untrustZone screen untrustScreen
- Configure syslog.
[edit] user@host# set system syslog file syslog any any user@host# set system syslog file syslog archive size 10000000 user@host# set system syslog file syslog explicit-priority user@host# set system syslog file syslog structured-data user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set security policies from-zone untrustZone to-zone trustZone policy policy1 then log session-close
- Commit the configuration.
[edit] user@host# commit