About Port and IP Address Scans

Attackers frequently look for open ports as starting points to launch network attacks. A port scan is TCP or UDP traffic that is sent to a range of ports. These ports can be in sequence or random, from 0 to 65535. An IP scan is TCP or UDP traffic that is sent to a range of network addresses. Port scans examine a computer to find the services that it uses. IP address scans examine a network to see which network devices are on that network.

For more information about ports, see About Ports.

How the Firebox Identifies Network Scans

An IP address space scan is identified when a computer sends a specified number of packets to different IP addresses assigned to a Firebox interface. To identify a port scan, your Firebox counts the number of packets sent from one IP address to any Firebox interface IP address. The addresses can include the primary IP addresses and any secondary IP addresses configured on the interface. If the number of packets sent to different IP addresses or destination ports in one second is larger than the number you select, the source IP address is added to the Blocked Sites list.

When the Block Port Scan and Block IP Scan check boxes are selected, all incoming traffic on all interfaces is examined by the Firebox . You cannot disable these features for specified IP addresses, specified Firebox interfaces, or different time periods.

To Protect Against Port Scan and IP Address Scans

The default configuration of the Firebox blocks network scans. You can change the settings for this feature, and change the maximum allowed number of address or port scans per second for each source IP address (the default value is 10).

To protect against network port scans, from Fireware Web UI:

  1. Select Firewall > Default Packet Handling.
    The Default Packet Handling page appears.

Screen shot of the Default Packet Handling page

  1. Select or clear the Block Port Scan and the Block IP Scan check boxes.
  2. Type the maximum number of address or port scans to allow per second from the same IP address. The default for each is 10 per second. This means that a source is blocked if it initiates connections to 10 different ports or hosts within one second.
  3. Click Save.

To protect against network port probes, from Policy Manager:

  1. Click .
    Or, select Setup > Default Threat Protection > Default Packet Handling.
    The Default Packet Handling dialog box appears.

Screen shot of the Default Packet Handling dialog box

  1. Select or clear the Block Port Scan and the Block IP Scan check boxes.
  2. Click the arrows to select the maximum number of address or port scans to allow per second from the same IP address. The default for each is 10 per second. This means that a source is blocked if it initiates connections to 10 different ports or hosts within one second.
  3. Click OK.

To block attackers more quickly, you can set the threshold for the maximum allowed number of address or port scans per second to a lower value. If the number is set too low, the Firebox could also deny legitimate network traffic . You are less likely to block legitimate network traffic if you use a higher number, but the Firebox must send TCP reset packets for each connection it drops. This uses bandwidth and resources on the Firebox and provides the attacker with information about your firewall.

See Also

About Default Packet Handling Options

Give Us Feedback     Get Support     All Product Documentation     Technical Search