Traffic Anomaly Background Information
The following sections may help you configure the traffic anomaly profile screen
(Section 32.3.4 on page
Port Scanning
An attacker scans device(s) to determine what types of network protocols or
services a device supports. One of the most common port scanning tools in use
today is Nmap.
Many connection attempts to different ports (services) may indicate a port scan.
These are some port scan types:
• TCP Portscan
• UDP Portscan
• IP Portscan
An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the
remote computer, but also additional IP protocols such as EGP (Exterior Gateway
Protocol) or IGP (Interior Gateway Protocol). Determining these additional
protocols can help reveal if the destination device is a workstation, a printer, or a
router.
Decoy Port Scans
Decoy port scans are scans where the attacker has spoofed the source address.
These are some decoy scan types:
• TCP Decoy Portscan
• UDP Decoy Portscan
• IP Decoy Portscan
Distributed Port Scans
Distributed port scans are many-to-one port scans. Distributed port scans occur
when multiple hosts query one host for open services. This may be used to evade
intrusion detection. These are distributed port scan types:
• TCP Distributed Portscan
• UDP Distributed Portscan
• IP Distributed Portscan
ZyWALL USG 2000 User's Guide
527)
Chapter 32 ADP
533