Anti-Portscan

The Network Protection > Intrusion Prevention > Anti-Portscan tab lets you configure general portscan detection options.

Portscans are used by hackers to probe secured systems for available services: In order to intrude into a system or to start a DoSClosed Denial of Service attack, attackers need information on network services. If this information is available, attackers might take advantage of the security deficiencies of these services. Network services using the TCPClosed Transmission Control Protocol and UDPClosed User Datagram Protocol Internet protocols can be accessed via special ports and this port assignment is generally known, for example the SMTPClosed Simple Mail Transfer Protocol service is assigned to the TCP port 25. Ports that are used by the services are referred to as open, since it is possible to establish a connection to them, whereas unused ports are referred to as closed; every attempt to connect with them will fail. Attackers try to find the open ports with the help of a particular software tool, a port scanner. This program tries to connect with several ports on the destination computer. If it is successful, the tool displays the relevant ports as open and the attackers have the necessary information, showing which network services are available on the destination computer.

Since there are 65535 distinct and usable port numbers for the TCP and UDP Internet protocols, the ports are scanned at very short intervals. If the gateway detects an unusually large number of attempts to connect to services, especially if these attempts come from the same source address, the gateway is most likely being port scanned. If an alleged attacker performs a scan of hosts or services on your network, the portscan detection feature will recognize this. As an option, further portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.

Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:

  • Scan of a TCP destination port less than 1024 = 3 points
  • Scan of a TCP destination port greater or equal 1024 = 1 point

To enable portscan detection, proceed as follows:

  1. On the Anti-Portscan tab, enable Portscan Detection.

    Click the toggle switch.

    The toggle switch turns green and the Global Settings area becomes editable.

  2. Specify the following settings:

    Action: The following actions are available:

    • Log event only: No measures are taken against the portscan. The event will be logged only.
    • Drop traffic: Further packets of the portscan will be silently dropped. A port scanner will report these ports as filtered.
    • Reject traffic: Further packets of the portscan will be dropped and an ICMP "destination unreachable/port unreachable" response will be sent to the originator. A port scanner will report these ports as closed.

    Limit logging: Enable this option to limit the amount of log messages. A portscan detection may generate many logs while the portscan is being carried out. For example, each SYN packet that is regarded as belonging to the portscan will generate an entry in the firewall log. Selecting this option will restrict logging to five lines per second.

  3. Click Apply.

    Your settings will be saved.