How to block source ip of port scans



  • We have an ISG-1000 with IDP functionality. Software version is 6.3.0r7. I did a search to find the answer but was unable to.  I see KB5106 that states the ISG-1000 firewall detects and blocks port scans:

    “A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). The purpose of this scheme is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. The security device internally logs the number of different ports scanned from one remote source. Using the default settings, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds), the security device flags this as a port scan attack and rejects all further packets from the remote source (regardless of the destination IP address) for the remainder of that second.”

    We have port scan protection enabled and we do not have “send an alert without blocking traffic enabled”. Aside from being confused on the “rejects all further packets from the source for the remainder of that second” part we just would like for anytime a port scan screen alert is fired that the source address be put in a block for ANY activity. Any time an external source scans us we get thousands of the “port scan detected” alerts so I am not sure how it is blocing anything. Between the firewall and the IDP (we have IDP functionality on the firewall) I just can’t believe there is no way to acheive this. I have a ticket open with Juniper support. But to this point they are telling me this cannot be done.

    Does anyone know if this is possible and, if so, how? Any assistance is greatly appreciated.


 

49
Online

38.4k
Users

12.7k
Topics

44.5k
Posts