Manualshelf

User guide

ManualsBrandsAllied Telesis ManualsComputer equipmentAT-iMG634 - R2
361362363364365366367368369370
Intrusion Detection Settings Security
4-63
iMG/RG Software Reference Manual (IPNetwork Functions)
Once an intrusion attempt is detected and the attacker is blocked and blacklisted for a set time limit. The length
of time that a blacklisted host remains blocked depends on the kind of attack:
For Denial of Service attacks by the SECURITY SET IDS DOSATTACKBLOCK command and by the
SECURITY SET IDS MALICIOUSATTACKBLOCK (default is 30 minutes in both cases)
For Port Scan attacks by the SESECURITY SET IDS SCANATTACKBLOCK command.(default is 24 hours)
For Web Spoofing attacks by the SECURITY SET IDS VICTIMPROTECTION command (default is 10 min-
utes.)
4.2.4.1 Port Scan Attacks
Scans are performed by sending a message to each port in turn with certain TCP flag headers set. The response
received from each port indicates whether the port is in use and can be probed further in an attempt to violate
the network. For example, if a weak port is found, the attacker may attempt to send a DoS attack to that port.
The Security module offers protection from the port scan attacks listed in the table below. Certain port scan
attacks are classed as Trojan Horse attacks. These are programs that may appear harmless, but once executed
they can cause damage to your computer and/or allow remote attackers access to it
The default protection measures are the same for each scan attack:
Scan Attack Description
Echo scan The attacker sends scanning traffic to the standard Echo port (TCP
port 7).
Xmas Tree scan The attacker sends TCP packets with FIN, URG and PSH flags set. If a
port is closed, the device responds with an RST. If a port is open, the
device does not respond.
IMAP scan The attacker exploits vulnerability of the IMAP port (TCP port 143)
once a TCP packet is received from the victim with the SYN and FIN
flag set.
TCP SYN ACK scan The attacker sends a SYN packet and the device responds with a SYN
and ACK to indicate that the port is listening, or an RST if it is not lis-
tening.
TCP FIN RST scan The attacker sends a FIN packet to close an open connection. If a port
is closed, the device responds with an RST. If a port is open, the device
does not respond
NetBus scan NetBus is a Trojan Horse
attack for Windows 95/98/NT. Once
installed on the victim’s PC, the attacker uses TCP port 12345, 12346
or 20034 to remotely perform illicit activities.