The attacker sends TCP packets with FIN, URG and PSH
flags set. If a port is closed, the device responds with an
RST. If a port is open, the device does not respond.
IMAP
scan
The attacker exploits vulnerability of the IMAP port (TCP
port 143) once a TCP packet is received from the victim
with the SYN and FIN flag set.
TCP SYN
ACK scan
The attacker sends a FIN packet to close an open
connection. If a port is closed, the device responds with
an RST. If a port is open, the device does not respond.
NetBus
scan
NetBus is a Trojan Horse attack for Windows 95/98/NT.
Once installed on the victim’s PC, the attacker uses TCP
port 12345, 12346 or 20034 to remotely perform illicit
activities.
Back
Orifice
scan
Back Orifice and Back Orifice 2k are Trojan Horse attacks
for Windows 95/98/NT. Once installed on the victim’s PC,
the attacker commonly listens on UDP ports 31337,
31338 (Back Orifice) and 54320, 54321 (Back Orifice 2k).
The attacker can then remotely perform illicit activities.
SubSeven
attack
SubSeven and SubSeven 2.1 are Trojan Horse attacks
for Windows platforms. Once installed on the victim’s PC,
the attacker uses TCP ports 1243, 6711, 6712, 6713
(SubSeven) and 27374 (SubSeven 2.1) to remotely
perform illicit activities.
Configuring protection against Port Scan attacks
- The device detects an attempted port scan if it receives more than 5 scanning
packets (e.g., SYN/ACK, FIN or RST packets) per second from a single host. To
modify this default threshold, enter:
security set IDS scanthreshold <max>
- The device counts the maximum number of scan packets allowed per second over
a 60 second period. To modify this default threshold, enter:
security set IDS scanperiod <duration>
- If the number of scanning packets counted within the specified duration is greater
To Next Page
Loading...