How to Block an IP for a Specific Period upon Detecting Port Scan or Host Sweep

Printer Friendly Page

Symptoms

This article describes blocking a source IP or traffic from a particular source and destination IP for a specific period of time when port scan or host sweep is detected.

Diagnosis

Using the Reconnaissance Protection settings, we can track and block a port scan or host sweep based on a source IP or combination of source IP and destination IP for a specific period. When a port scan or host sweep is detected for a particular source IP or combination source and destination IP, further traffic from that source IP or from that particular source IP and destination IP is dropped for the specified interval.

Solution

To configure block IP feature in Reconnaissance Protection:

 

  1. Inside of the WebGUI Go To: Network > Network Profiles > Zone Protection > Zone Protection Profile > Reconnaissance Protection.
  2. Change the Action from Alert to Block IP and select Track By either Source or Source and Destination IP based on your requirement.
    Screen Shot 2015-10-06 at 11.46.05 am.png

  3. After the Track By field is selected, select the duration (in secs)--minimum value is 1 second and maximum value is 3600 seconds. When the port scan/host sweep protection is triggered, all further traffic from that source IP or from that source to destination IP( based on the option selected in Tthe rack By field) is blocked for the specified period.Screen Shot 2015-10-06 at 11.47.32 am.pngScreen Shot 2015-10-06 at 11.48.03 am.png


  4. Then Commit the changes to make this active.

 

 

Tags (4)
Comments

Anyone know how I can see the ips addresses that are blocked by a port scan?

> debug dataplane show dos block-table 

Why can't this be set to forever?  I can see reasons to allow port scans on some occasions but for most of us we don't want just anyone running port scans on our externally facing ips. Why isn't this something that is more common place with Firewalls to have it automatically block port scans instead of requiring the end user to turn it on? Out of the box it should be automatic and if you want to change it then you can go in and do so but for me, and as I said I'm sure there are many others that feel the same, this should be something that is on by default and blocks these scanning jerks forever.  As far as spoofers and misidentifying someone, there are methods that are out there to ensure someone isn't spoofing and to positively id them.  In any event I'd rather go with caution and have them blocked than not and have all of these scanning attempts take place.

Sometimes port scans can be accidental or could be launched from a shared environment (and this is quite common) that may have legitimate use. For automated firewall intervention the maximum block time is 3600 seconds, but for more advanced blocking capabilities, you could look into EDL (External Dynamic Lists) which you can populate with externally obtained lists of bad ips/domains or from an integration with MineMeld that can be set to pick up exactly those IP addresses that are scanning your environment and add those to an EDL which you set to block (and possibly report, so you can still have an overview of the volume of scans) in your security policy.