ZyXEL Communications ZyWALL USG 200 Series User Manual page 642

Chapter 35 ADP
Decoy Port Scans
Decoy port scans are scans where the attacker has spoofed the source address.
These are some decoy scan types:
• TCP Decoy Portscan
• UDP Decoy Portscan
• IP Decoy Portscan
Distributed Port Scans
Distributed port scans are many-to-one port scans. Distributed port scans occur
when multiple hosts query one host for open services. This may be used to evade
intrusion detection. These are distributed port scan types:
• TCP Distributed Portscan
• UDP Distributed Portscan
• IP Distributed Portscan
Port Sweeps
Many different connection attempts to the same port (service) may indicate a port
sweep, that is, they are one-to-many port scans. One host scans a single port on
multiple hosts. This may occur when a new exploit comes out and the attacker is
looking for a specific service. These are some port sweep types:
• TCP Portsweep
• UDP Portsweep
• IP Portsweep
• ICMP Portsweep
Filtered Port Scans
A filtered port scan may indicate that there were no network errors (ICMP
unreachables or TCP RSTs) or responses on closed ports have been suppressed.
Active network devices, such as NAT routers, may trigger these alerts if they send
out many connection attempts within a very small amount of time. These are
some filtered port scan examples.
• TCP Filtered
Portscan
• TCP Filtered Decoy
Portscan
• TCP Filtered
Portsweep
642
• UDP Filtered Portscan
• UDP Filtered Decoy
Portscan
• UDP Filtered Portsweep
ZyWALL USG 100/200 Series User's Guide
• IP Filtered Portscan
• IP Filtered Decoy
Portscan
• IP Filtered Portsweep