ZyWALL 1050 User's Guide
21.8 Profiles: Traffic Anomaly
The traffic anomaly screen is the second screen in an IDP profile. Traffic anomaly detection
looks for abnormal behavior such as scan or flooding attempts. Select Policy > IDP > Profile
> Traffic Anomaly. If you made changes to other screens belonging to this profile, make sure
you have clicked OK or Save to save the changes before selecting the Traffic Anomaly tab.
21.8.1 Port Scanning
An attacker scans device(s) to determine what types of network protocols or services a device
supports. One of the most common port scanning tools in use today is Nmap.
Many connection attempts to different ports (services) may indicate a port scan. These are
some port scan types:
• TCP Portscan
• UDP Portscan
• IP Portscan
An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote
computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP
(Interior Gateway Protocol). Determining these additional protocols can help reveal if the
destination device is a workstation, a printer, or a router.
21.8.1.1 Decoy Port Scans
Decoy port scans are scans where the attacker has spoofed the source address. These are some
decoy scan types:
• TCP Decoy Portscan
• UDP Decoy Portscan
• IP Decoy Portscan
21.8.1.2 Distributed Port Scans
Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple
hosts query one host for open services. This may be used to evade intrusion detection. These
are distributed port scan types:
• TCP Distributed Portscan
• UDP Distributed Portscan
• IP Distributed Portscan
348
Chapter 21 IDP