ZyXEL UAG715 User Guide - Page 328

Chapter 27 ADP • TCP Distributed Portscan • UDP Distributed Portscan • IP Distributed Portscan Port Sweeps Many different connection attempts to the same port (service) may indicate a port sweep, that is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may occur when a new exploit comes out and the attacker is looking for a specific service. These are some port sweep types: • TCP Portsweep • UDP Portsweep • IP Portsweep • ICMP Portsweep Filtered Port Scans A filtered port scan may indicate that there were no network errors (ICMP unreachables or TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such as NAT routers, may trigger these alerts if they send out many connection attempts within a very small amount of time. These are some filtered port scan examples. • TCP Filtered Portscan • UDP Filtered Portscan • TCP Filtered Decoy Portscan • UDP Filtered Decoy Portscan • TCP Filtered Portsweep • UDP Filtered Portsweep • ICMP Filtered Portsweep • TCP Filtered Distributed Portscan • IP Filtered Distributed Portscan • IP Filtered Portscan • IP Filtered Decoy Portscan • IP Filtered Portsweep • UDP Filtered Distributed Portscan Flood Detection Flood attacks saturate a network with useless data, use up all available bandwidth, and therefore make communications in the network impossible. ICMP Flood Attack An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the system, that it slows it down or locks it up. Smurf A smurf attacker (A) floods a router (B) with Internet Control Message Protocol (ICMP) echo request packets (pings) with the destination IP address of each packet as the broadcast address of the network. The router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. 328 UAG715 User's Guide