Filter
Top Products
Chapter 30 ADP
ZyWALL USG 100/200 Series User’s Guide
524
Many connection attempts to different ports (services) may indicate a port scan. These are
some port scan types:
• TCP Portscan
• UDP Portscan
• IP Portscan
An IP port scan searches not only for TCP, UDP and ICMP protocols in use by the remote
computer, but also additional IP protocols such as EGP (Exterior Gateway Protocol) or IGP
(Interior Gateway Protocol). Determining these additional protocols can help reveal if the
destination device is a workstation, a printer, or a router.
Decoy Port Scans
Decoy port scans are scans where the attacker has spoofed the source address. These are some
decoy scan types:
• TCP Decoy Portscan
• UDP Decoy Portscan
• IP Decoy Portscan
Distributed Port Scans
Distributed port scans are many-to-one port scans. Distributed port scans occur when multiple
hosts query one host for open services. This may be used to evade intrusion detection. These
are distributed port scan types:
• TCP Distributed Portscan
• UDP Distributed Portscan
• IP Distributed Portscan
Port Sweeps
Many different connection attempts to the same port (service) may indicate a port sweep, that
is, they are one-to-many port scans. One host scans a single port on multiple hosts. This may
occur when a new exploit comes out and the attacker is looking for a specific service. These
are some port sweep types:
• TCP Portsweep
• UDP Portsweep
• IP Portsweep
• ICMP Portsweep
Filtered Port Scans
A filtered port scan may indicate that there were no network errors (ICMP unreachables or
TCP RSTs) or responses on closed ports have been suppressed. Active network devices, such
as NAT routers, may trigger these alerts if they send out many connection attempts within a
very small amount of time. These are some filtered port scan examples.
• TCP Filtered Portscan • UDP Filtered Portscan • IP Filtered Portscan
• TCP Filtered Decoy
Portscan
• UDP Filtered Decoy
Portscan
• IP Filtered Decoy
Portscan