< Home

Configuring Port Scan Attack Defense

An attacker probes the network structure by scanning ports to determine the ports currently enabled on the attacked, thus specifying the attack mode.

Context

In a port scan attack, the attacker generally uses the Port Scanning software to initiate connections to a series of TCP or UDP ports on a wide range of hosts. According to the response packets, the attacker can determine whether hosts are providing services through these ports.

After port scan attack defense is configured, the FW checks received TCP and UDP packets. If the number of packets from one IP address to different ports within 1 second exceeds the preset threshold, the FW considers that the source IP address is initiating a port scan attack. Then, the FW takes one of the following actions for the source IP address:

  • If the blacklist function is enabled on the FW, and the firewall defend action discard command is used, the FW adds the source IP address to the blacklist and discards the packets from this IP address.
  • If the blacklist function is disabled on the FW, but the firewall defend action discard command is executed, the system will still generate alarms and discards the packets.

If a source IP address is whitelisted, port scan attack defense will not be implemented for the source IP address.

Procedure

  1. In the user view, access the system view.

    system-view

  2. Enable the blacklist function.

    firewall blacklist enable

  3. Enable port scan attack defense.

    firewall defend port-scan enable

  4. Run:

    firewall defend port-scan max-rate max-rate-number

    The rate threshold of port scanning is specified. If the port scanning rate of a certain host exceeds the threshold, the device assumes that a port scan attack occurs and then blacklists the IP address.

    By default, the threshold of port scanning is 4000, in pps.

    Port scan rate takes the rate of the first packet of the IP packet as the base.

  5. Set the aging time for blacklisting the IP addresses of port scan attackers.

    firewall defend port-scan blacklist-timeout interval

    The IP address that is blacklisted can be deleted from the blacklist after the aging time. After that, the IP address becomes available again.

    By default, the aging time of the blacklist is 20 minutes, during which the packets sent by the attacker are discarded. You can adjust the aging time as required.

  6. Set the action to discard for single-packet attacks.

    firewall defend action discard

Parent Topic: Configuring Single-Packet Attack Defense
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >