Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 4469 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

It seems like Anti-Portscan is causing packet loss...

rev3la7ion

Not sure why but every time I enable Anti-Portscan I notice a lot of packet loss while gaming or streaming youtube videos. Netflix doesn't seem to be affected for whatever reason. Typically it goes like this; I get some from work and hop on my computer to de-stress. Load up some youtube videos to watch. I've currently got comcast business class @ 50 down and 10 up (best offered in my area... -_-). I shouldn't have any issue streaming in 720p yet utilizing youtubes 'auto' feature it continuously buffers until it degrades down to 240p. I've had comcast out here to check the connection from my modem all the way to the node (which I have priority on) and there are no issues. My entire network is hard-wired via CAT6S and I'm utilizing gigabit via all my switches/modem/APs. I've checked my bandwidth utilization while watching youtube videos and I'm utilizing next to nothing. I've followed the UTM tweak guide and made sure everything was set correctly. I've double-checked my firewall rules and consolidated a couple of them to clean up the rules. I've checked my modem status to ensure there isn't an issue regarding my SNR and dBmv power levels or error counts. Everything is solid.

HOWEVER, when anti-portscan is enabled I'm seeing tons of packet loss via web based services. Turning it off resolves the issue completely. Has anyone else noticed this?



This thread was automatically locked due to age.

  • Hi,

    Greetings.

    Portscans are used by hackers to probe secured systems for available services: In order to intrude into a system or to start a DoSClosed attack. 

    Network services using the TCPClosed and UDPClosed Internet protocols can be accessed via special ports and this port assignment is generally known, for example the SMTPClosed service is assigned to the TCP port 25. Ports that are used by the services are referred to as open, since it is possible to establish a connection to them, whereas unused ports are referred to as closed; every attempt to connect with them will fail. Attackers try to find the open ports with the help of a particular software tool, a port scanner. This program tries to connect with several ports on the destination computer. If it is successful, the tool displays the relevant ports as open and the attackers have the necessary information, showing which network services are available on the destination computer.

    Since there are 65535 distinct and usable port numbers for the TCP and UDP Internet protocols, the ports are scanned at very short intervals. If the gateway detects an unusually large number of attempts to connect to services, especially if these attempts come from the same source address, the gateway is most likely being port scanned. If an alleged attacker performs a scan of hosts or services on your network, the portscan detection feature will recognize this. As an option, further portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.

    Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:

    • Scan of a TCP destination port less than 1024 = 3 points
    • Scan of a TCP destination port greater or equal 1024 = 1 point

    Hence, while gaming and YouTube streaming, large number of attempts to connect to services might be a reason for such drops.

    You can configure Port Scan settings to Log event only option, this will log the event and not drop the traffic.

    Hope that helps.

    Thanks

    Sachin Gurung