Unified Security Gateway User's Guide
Chapter 30 ADP
ZyWALL USG 300 User’s Guide
452
30.8.1.4 Filtered Port Scans
A filtered port scan may indicate that there were no network errors (ICMP unreachables or
TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such
as NAT routers, may trigger these alerts if they send out many connection attempts within a
very small amount of time. These are some filtered port scan examples.
30.8.2 Flood Detection
Flood attacks saturate a network with useless data, use up all available bandwidth, and
therefore make communications in the network impossible.
30.8.2.1 ICMP Flood Attack
An ICMP flood is broadcasting many pings or UDP packets so that so much data is sent to the
system, that it slows it down or locks it up.
30.8.2.2 Smurf
A smurf attacker (A) floods a router (B) with Internet Control Message Protocol (ICMP) echo
request packets (pings) with the destination IP address of each packet as the broadcast address
of the network. The router will broadcast the ICMP echo request packet to all hosts on the
network. If there are numerous hosts, this will create a large amount of ICMP echo request and
response traffic.
If an attacker (A) spoofs the source IP address of the ICMP echo request packet, the resulting
ICMP traffic will not only saturate the receiving network (B), but the network of the spoofed
source IP address (C).
Figure 342 Smurf Attack
• TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan
• TCP Filtered Decoy
Portscan
• UDP Filtered Decoy
Portscan
• IP Filtered Decoy
Portscan
• TCP Filtered
Portsweep
• UDP Filtered Portsweep • IP Filtered Portsweep
• ICMP Filtered
Portsweep
• TCP Filtered Distributed
Portscan
• UDP Filtered
Distributed Portscan
• IP Filtered
Distributed Portscan