Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about PortScanner

eclipse79oldacct
Hello, 
I have Portscanner function enabled (the action is Drop Traffic, Limit logging). I was wondering: when portscanner is detected, I think ASG should immediately block the traffic from the source ip, but I see in the log some entries in a short time lapse:

2010:09:26-10:25:40 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" dstmac="xx:xx:xx:xx:xx:xx:xx" srcmac="yy:yy:yy:yy:yy:yy:yy" srcip="58.218.204.110" dstip="my wan alias" proto="6" length="40" tos="0x00" prec="0x00" ttl="111" srcport="12200" dstport="73" tcpflags="SYN" 

2010:09:26-10:25:40 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" dstmac="xx:xx:xx:xx:xx:xx:xx" srcmac="yy:yy:yy:yy:yy:yy:yy" srcip="58.218.204.110" dstip="my wan alias" proto="6" length="40" tos="0x00" prec="0x00" ttl="111" srcport="12200" dstport="7212" tcpflags="SYN" 

2010:09:26-10:25:40 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" dstmac="xx:xx:xx:xx:xx:xx:xx" srcmac="yy:yy:yy:yy:yy:yy:yy" srcip="58.218.204.110" dstip="my wan alias" proto="6" length="40" tos="0x00" prec="0x00" ttl="111" srcport="12200" dstport="6588" tcpflags="SYN" 

2010:09:26-10:25:41 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" dstmac="xx:xx:xx:xx:xx:xx:xx" srcmac="yy:yy:yy:yy:yy:yy:yy" srcip="58.218.204.110" dstip="my public wan address" proto="6" length="40" tos="0x00" prec="0x00" ttl="110" srcport="12200" dstport="73" tcpflags="SYN" 

2010:09:26-10:25:42 firewall ulogd[3270]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" seq="0" initf="eth1" dstmac="xx:xx:xx:xx:xx:xx:xx" srcmac="yy:yy:yy:yy:yy:yy:yy" srcip="58.218.204.110" dstip="my public wan address" proto="6" length="40" tos="0x00" prec="0x00" ttl="110" srcport="12200" dstport="7212" tcpflags="SYN" 


I suppose I should see only the first one for each target IP, isn't it? Am I wrong? Is ASG really blocks these attacks or not?


This thread was automatically locked due to age.
Parents
  • 0
    Since the ASG can only drop the packets, you will continue to see them in the logs, but the packets are dropped.  Unless the scanning host is disables, or routing between the scanning host and the ASG is altered, those packets are still going to arrive at the ASG.

    Keep in mind that portscan detections against closed ports are doing much- the traffic would be dropped or rejected per the PF rules anyway.  Where portscan detection makes a real difference is in traffic allow through the ASG which behaves as a scan- then the previously allowed traffic will be blocked by portscan detection.

    Make sense?  Or have I misinterpreted the situation?
Reply
  • 0
    Since the ASG can only drop the packets, you will continue to see them in the logs, but the packets are dropped.  Unless the scanning host is disables, or routing between the scanning host and the ASG is altered, those packets are still going to arrive at the ASG.

    Keep in mind that portscan detections against closed ports are doing much- the traffic would be dropped or rejected per the PF rules anyway.  Where portscan detection makes a real difference is in traffic allow through the ASG which behaves as a scan- then the previously allowed traffic will be blocked by portscan detection.

    Make sense?  Or have I misinterpreted the situation?
Children
  • 0 in reply to Jack Daniel

    Keep in mind that portscan detections against closed ports are doing much- the traffic would be dropped or rejected per the PF rules anyway.  Where portscan detection makes a real difference is in traffic allow through the ASG which behaves as a scan- then the previously allowed traffic will be blocked by portscan detection.

    Make sense?  Or have I misinterpreted the situation?


    Thank you Jack! Now is all clear, I thought that ASG would temporary block all requests from the origin for x minutes.

    Thanks [:)]