ZyXEL Communications ZyWALL USG 300 User Manual page 558

Chapter 32 ADP
Port Sweeps
Many different connection attempts to the same port (service) may indicate a port
sweep, that is, they are one-to-many port scans. One host scans a single port on
multiple hosts. This may occur when a new exploit comes out and the attacker is
looking for a specific service. These are some port sweep types:
• TCP Portsweep
• UDP Portsweep
• IP Portsweep
• ICMP Portsweep
Filtered Port Scans
A filtered port scan may indicate that there were no network errors (ICMP
unreachables or TCP RSTs) or responses on closed ports have been suppressed.
Active network devices, such as NAT routers, may trigger these alerts if they send
out many connection attempts within a very small amount of time. These are
some filtered port scan examples.
• TCP Filtered
Portscan
• TCP Filtered Decoy
Portscan
• TCP Filtered
Portsweep
• ICMP Filtered
Portsweep
• IP Filtered
Distributed Portscan
Flood Detection
Flood attacks saturate a network with useless data, use up all available
bandwidth, and therefore make communications in the network impossible.
ICMP Flood Attack
An ICMP flood is broadcasting many pings or UDP packets so that so much data is
sent to the system, that it slows it down or locks it up.
Smurf
A smurf attacker (A) floods a router (B) with Internet Control Message Protocol
(ICMP) echo request packets (pings) with the destination IP address of each
packet as the broadcast address of the network. The router will broadcast the
558
• UDP Filtered Portscan
• UDP Filtered Decoy
Portscan
• UDP Filtered Portsweep
• TCP Filtered Distributed
Portscan
• IP Filtered Portscan
• IP Filtered Decoy
Portscan
• IP Filtered Portsweep
• UDP Filtered
Distributed Portscan
ZyWALL USG 300 User's Guide