Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IP Address Sweep and Port Scan

An address sweep occurs when one source IP address sends a predefined number of ICMP packets to various hosts within a predefined interval of time. Port scanning occurs when one source IP address sends IP packets containing TCP SYN segments to a predefined number of different ports at the same destination IP address within a predefined time interval, For more information, see the following topics:

Understanding Network Reconnaissance Using IP Options

The IP standard RFC 791, Internet Protocol, specifies a set of options for providing special routing controls, diagnostic tools, and security.

RFC 791 states that these options are “unnecessary for the most common communications” and, in reality, they rarely appear in IP packet headers. These options appear after the destination address in an IP packet header, as shown in Figure 1. When they do appear, they are frequently being put to some illegitimate use.

Figure 1: Routing OptionsRouting Options

This topic contains the following sections:

Uses for IP Packet Header Options

Table 1 lists the IP options and their accompanying attributes.

Table 1: IP Options and Attributes

Type

Class

Number

Length

Intended Use

Nefarious Use

End of Options

0*

0

0

Indicates the end of one or more IP options.

None.

No Options

0

1

0

Indicates there are no IP options in the header.

None.

Security

0

2

11 bits

Provides a way for hosts to send security, TCC (closed user group) parameters, and Handling Restriction Codes compatible with Department of Defense (DoD) requirements. (This option, as specified in RFC 791, Internet Protocol, and RFC 1038, Revised IP Security Option, is obsolete.)

Currently, this screen option is applicable only to IPv4.

Unknown. However, because it is obsolete, its presence in an IP header is suspect.

Loose Source Route

0

3

Varies

Specifies a partial route list for a packet to take on its journey from source to destination. The packet must proceed in the order of addresses specified, but it is allowed to pass through other devices in between those specified.

Evasion. The attacker can use the specified routes to hide the true source of a packet or to gain access to a protected network.

Record Route

0

7

Varies

Records the IP addresses of the network devices along the path that the IP packet travels. The destination machine can then extract and process the route information. (Due to the size limitation of 40 bytes for both the option and storage space, this can only record up to 9 IP addresses.)

Currently, this screen option is applicable only to IPv4.

Reconnaissance. If the destination host is a compromised machine in the attacker's control, he or she can glean information about the topology and addressing scheme of the network through which the packet passed.

Stream ID

0

8

4 bits

(Obsolete) Provided a way for the 16-bit SATNET stream identifier to be carried through networks that did not support the stream concept.

Currently, this screen option is applicable only to IPv4.

Unknown. However, because it is obsolete, its presence in an IP header is suspect.

Strict Source Route

0

9

Varies

Specifies the complete route list for a packet to take on its journey from source to destination. The last address in the list replaces the address in the destination field.

Currently, this screen option is applicable only to IPv4.

Evasion. An attacker can use the specified routes to hide the true source of a packet or to gain access to a protected network.

Timestamp

2**

4

 

Records the time (in coordinated universal time [UTC]***) when each network device receives the packet during its trip from the point of origin to its destination. The network devices are identified by IP address.

This option develops a list of IP addresses of the devices along the path of the packet and the duration of transmission between each one.

Currently, this screen option is applicable only to IPv4.

Reconnaissance. If the destination host is a compromised machine in the attacker's control, he or she can glean information about the topology and addressing scheme of the network through which the packet has passed.

* The class of options identified as 0 was designed to provide extra packet or network control.

** The class of options identified as 2 was designed for diagnostics, debugging, and measurement.

*** The timestamp uses the number of milliseconds since midnight UTC. UTC is also known as Greenwich Mean Time (GMT), which is the basis for the international time standard.

Screen Options for Detecting IP Options Used for Reconnaissance

The following screen options detect IP options that an attacker can use for reconnaissance or for some unknown but suspect purpose:

  • Record Route—Junos OS detects packets where the IP option is 7 (record route) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.

  • Timestamp—Junos OS detects packets where the IP option list includes option 4 (Internet timestamp) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.

  • Security—Junos OS detects packets where the IP option is 2 (security) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.

  • Stream ID—Junos OS detects packets where the IP option is 8 (stream ID) and records the event in the screen counters list for the ingress interface. Currently, this screen option is applicable only to IPv4.

If a packet with any of the previous IP options is received, Junos OS flags this as a network reconnaissance attack and records the event for the ingress interface.

Example: Detecting Packets That Use IP Screen Options for Reconnaissance

This example shows how to detect packets that use IP screen options for reconnaissance.

Requirements

Before you begin, understand how network reconnaissance works. See Understanding Network Reconnaissance Using IP Options.

Overview

RFC 791, Internet Protocol, specifies a set of options for providing special routing controls, diagnostic tools, and security. The screen options detect IP options that an attacker can use for reconnaissance, including record route, timestamp, security, and stream ID.

In this example, you configure an IP screen screen-1 and enable it in a security zone called zone-1.

Note:

You can enable only one screen in one security zone.

Topology

Configuration

Procedure

CLI Quick Configuration

To quickly detect packets with the record route, timestamp, security, and stream ID IP screen options, copy the following commands and paste them into the CLI.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To detect packets that use IP screen options for reconnaissance:

  1. Configure IP screen options.

    Note:

    Currently, these screen options support IPv4 only.

  2. Enable the screen in the security zone.

Results

From configuration mode, confirm your configuration by entering the show security screen command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Screens in the Security Zone

Purpose

Verify that the screen is enabled in the security zone.

Action

From operational mode, enter the show security zones command.

Verifying the Security Screen Configuration

Purpose

Display the configuration information about the security screen.

Action

From operational mode, enter the show security screen ids-option screen-name command.

Understanding IP Address Sweeps

An address sweep occurs when one source IP address sends a defined number of ICMP packets sent to different hosts within a defined interval (5000 microseconds is the default). The purpose of this attack is to send ICMP packets—typically echo requests—to various hosts in the hopes that at least one replies, thus uncovering an address to target.

Junos OS internally logs the number of ICMP packets to different addresses from one remote source. Using the default settings, if a remote host sends ICMP traffic to 10 addresses in 0.005 seconds (5000 microseconds), then the device flags this as an address sweep attack and rejects all further ICMP packets from that host for the remainder of the specified threshold time period. See Figure 9.

Figure 9: Address SweepAddress Sweep

Consider enabling this screen option for a security zone only if there is a policy permitting ICMP traffic from that zone. Otherwise, you do not need to enable the screen option. The lack of such a policy denies all ICMP traffic from that zone, precluding an attacker from successfully performing an IP address sweep anyway.

Note:

Junos OS supports this screen option for ICMPv6 trafffic also.

Example: Blocking IP Address Sweeps

This example describes how to configure a screen to block an IP address sweep originating from a security zone.

Requirements

Before you begin:

Overview

You need to enable a screen for a security zone if you have configured a policy that permits ICMP traffic from that zone. If you have not configured such a policy, then your system denies all ICMP traffic from that zone, and the attacker cannot perform an IP address sweep successfully anyway.

In this example you configure a 5000-ip-sweep screen to block IP address sweeps originating in the zone-1 security zone.

Topology

Configuration

Procedure

Step-by-Step Procedure

To configure a screen to block IP address sweeps:

  1. Configure a screen.

  2. Enable the screen in the security zone.

  3. If you are done configuring the device, commit the configuration.

Verification

Confirm that the configuration is working properly.

Verifying the Screens in the Security Zone

Purpose

Verify that the screen is enabled in the security zone.

Action

From operational mode, enter the show security zones command.

Verifying the Security Screen Configuration

Purpose

Display the configuration information about the security screen.

Action

From operational mode, enter the show security screen ids-option screen-name command.

Understanding TCP Port Scanning

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different destination ports within a defined interval (5000 microseconds is the default). The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

Junos OS internally logs the number of different ports scanned from one remote source. Using the default settings, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), then the device flags this as a port scan attack and rejects all further packets from the remote source, regardless of the destination IP address, for the remainder of the specified timeout period. See Figure 15.

Figure 15: Port ScanPort Scan
Note:

Junos OS supports port scanning for both IPv4 and IPv6 traffic.

Understanding UDP Port Scanning

UDP port scan gives statistical information on a session threshold. As the incoming packets traverse the screen, the sessions are established. The number of sessions threshold enforced is based on zone, source IP, and the threshold period and does not allow more than 10 new sessions in the configured threshold period, for each zone and source IP address. The UDP port scan is disabled by default. When the UDP port scan is enabled, the default threshold period is 5000 microseconds. This value can be manually set to a range of 1000-1,000,000 microseconds. This feature protects some exposed public UDP services against DDoS attacks. See Figure 16.

Figure 16: UDP Port ScanUDP Port Scan

Enhancing Traffic Management by Blocking Port Scans

This example shows how to enhance traffic management by configuring a screen to block port scans originating from a particular security zone.

Requirements

Before you begin, understand how port scanning works. See Understanding TCP Port Scanning.

Overview

You can use a port scan to block IP packets containing TCP SYN segments or UDP segments sent to different ports from the same source address within a defined interval. The purpose of this attack is to scan the available services in the hopes that at least one port will respond. Once a port responds, it is identified as a service to target.

In this example, you configure a 5000 port-scan screen to block port scans originating from a particular security zone and then assign the screen to the zone called zone-1.

Topology

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a screen to block port scans:

  1. Configure the screen.

  2. Enable the screen in the security zone.

Results

From configuration mode, confirm your configuration by entering the show security screen ids-option 5000-port-scan and show security zones commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Screens in the Security Zone

Purpose

Verify that the screen is enabled in the security zone.

Action

From operational mode, enter the show security zones command.

Meaning

The sample output shows that the screen for zone-1 is enabled for port scan blocking.

Verifying the Security Screen Configuration

Purpose

Verify the configuration information about the security screen.

Action

From operational mode, enter the show security screen ids-option screen-name command.

Meaning

The sample output shows that the port scan blocking is operational with TCP and UDP threshold.