Scan Prevention

Another dimension to flood protection is preventing scans and the subsequent barrage of traffic at open ports and identified network addresses. IntruGuard Devices protects against Port, Network, and Dark Address scans.

Port scanning is a well known technique to determine open ports on a specific system. While HTTP, FTP, and other well known ports are typically available but well protected with host based software, many times unused ports are left open and vulnerable to attack. Hackers know this and rapidly scan ports on network devices to find the weakness. IntruGuard Devices RBIPS is able to spot these accelerating rates of port scans and to block them once they exceed acceptable limits. The source IP address is noted as often times the scan is a precursor to a rate flood. This “heads-up” allows the IG200/2000 to react even faster with better accuracy to stop DoS/DDoS attacks.

Similar to port scanning is network address scanning. The IG200/2000 takes the same approach to these scans. Here the rate at which network addresses are scanned is evaluated against rate thresholds and blocks those exceeding acceptable limits. As scans are typically substantially above normal traffic flow, the accuracy in spotting and blocking the attack is extremely high. Anticipated follow-on attacks are easier to spot with improved accuracy.

Dark address scans are a growing threat from hackers. These scans involve IP addresses that are not legitimate. While the format is valid, the actual values are not available from any Internet registry entity. These addresses are commonly referred to as “Bogons” and are used as the source address in many DDoS attacks. IntruGuard blocks dark address scans which exceed acceptable limits. Often these attacks are used to spread worms, not just bring servers off-line so mitigation of worm propagation is an added benefit.