Table of Contents
Advertisement
Configuring Traffic Anomalies Rules
Detecting TCP and UDP Port Scans
Copyright © 2010, Juniper Networks, Inc.
Traffic anomaly rules protect your network from attacks by using traffic flow analysis to
identify attacks that occur over multiple connections and sessions (such as scans).
Before attempting to enter an unknown network, attackers often gather information
about the network and analyze any weaknesses to help them choose the best attack
method. A port scan or network scan is often the first reconnaissance performed. Attackers
typically use a scanning tool that attempts to connect to every port on a single machine
(port scanning) or connect to multiple IP addresses on a network (network scanning).
By determining which services are allowed and responding on your network, attackers
can gain valuable information about your network configuration.
To detect scans and other distributed network attacks, the Traffic Anomalies Rulebase
looks for patterns that indicate abnormal network activity. Attackers often use scanning
tools to automate their port scans, allowing them to scan multiple ports quickly and
efficiently. IDP can detect these scans by counting the number of ports scanned in a
specified time period. You can also set a session limit threshold, which defines the
maximum number of sessions for a single host.
To detect TCP and UDP port scans, set a port count (number of ports scanned) and the
time threshold (the time period that ports are counted) in seconds.
Example: Traffic Anomalies Rule
You want to create a Traffic Anomalies rule that looks for port scans on your internal
network. You set both the TCP and UDP Port Count to 20 and the Time threshold to 120
seconds. The rule is matched if the same Source IP scans 20 TCP ports on your internal
network within 120 seconds, or if the same Source IP scans 20 UDP ports on your internal
network within 120 seconds.
Detecting Other Scans
In addition to port scans, the attacks can occur over multiple connections and sessions:
Distributed Port Scans. Use multiple Source IP addresses to scan ports.
ICMP Sweeps. Use a single Source IP to ping multiple IP addresses.
Network Scans. Use a single Source IP to scan multiple IP addresses.
To detect these attacks, set the IP Count (the number of times attempts to scan or ping
ports on your network occur) and the Time (the time period that IP addresses are counted)
in seconds.
Example: Traffic Anomalies Rule
To create a Traffic Anomalies rule that looks for distributed port scans on your internal
network, set the IP Count to 50 and the Time to 120 seconds. If 50 IP addresses attempt
to scan ports on your internal network within 120 seconds, the rule is matched.
Chapter 9: Configuring Security Policies
495
Advertisement
Table of Contents
