Reconnaissance

Reconnaissance Scans

The Reconnaissance page allows you to enable and configure traffic analysis settings on your computers. This feature can detect possible reconnaissance scans and helps to prevent attacks.

Reconnaissance Scan Detection Enabled: Turn the ability to detect reconnaissance scans on or off.
Computers/Networks on which to perform detection: Choose from the drop-down list the IPs to protect. Choose from existing IP Lists. (You can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.)
Do not perform detection on traffic coming from: Select from a set of IP Lists which computers and networks to ignore. (As above, you can use the Policies > Common Objects > Lists > IP Lists page to create an IP List specifically for this purpose.)

If you want to enable reconnaissance protection, you must also enable the Firewall and Stateful Inspection on the Policy/Computer Editor > Firewall > General tab. You should also go to the Policy/Computer Editor > Firewall > Advanced tab and enable the Generate Firewall Events for packets that are 'Out of Allowed Policy' setting. This will generate Firewall events that are required for reconnaissance.

For each type of attack, the Agent/Appliance can be instructed to send the information to the Vulnerability ProtectionDeep Security Manager where an Alert will be triggered. You can configure the Manager to send an email notification when the Alerts are triggered. (See Administration > System Settings > Alerts. The Alerts are: "Network or Port Scan Detected", "Computer OS Fingerprint Probe Detected", "TCP Null Scan Detected", "TCP FIN Scan Detected", and "TCP Xmas Scan Detected.") Select Notify DSM Immediately for this option.

For the "Notify DSM Immediately" option to work, the Agents/Appliances must be configured for Agent/Appliance initiated or bidirectional communication in Policy/Computer Editor > Settings > Computer.) If enabled, the Agent/Appliance will initiate a heartbeat to the Vulnerability ProtectionDeep Security Manager immediately upon detecting the attack or probe.

Once an attack has been detected, you can instruct the Agents/Appliances to block traffic from the source IPs for a period of time. Use the Block Traffic drop-down lists to set the number of minutes.

Computer OS Fingerprint Probe: The Agents/Appliances will recognize and react to active TCP stack OS fingerprinting attempts.
Network or Port Scan: The Agents/Appliances will recognize and react to port scans.
TCP Null Scan: The Agents/Appliances will refuse packets with no flags set.
TCP SYNFIN Scan: The Agents/Appliances will refuse packets with only the SYN and FIN flags set.
TCP Xmas Scan: The Agents/Appliances will refuse packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).

"Network or Port Scans" differs from the other types of reconnaissance in that it cannot be recognized by a single packet and requires Vulnerability ProtectionDeep Security to watch traffic for a period of time.
The Agent/Appliance reports a computer or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally an Agent/Appliance computer will only see traffic destined for itself, so a port scan is by far the most common type of probe that will be detected. However, if a computer is acting as a router or bridge it could see traffic destined for a number of other computers, making it possible for the Agent/Appliance to detect a computer scan (ex. scanning a whole subnet for computers with port 80 open).

Detecting these scans can take several seconds since the Agent/Appliance needs to be able to track failed connections and decide that there are an abnormal number of failed connections coming from a single computer in a relatively short period of time.

The statistical analysis method used in computer/port scan detection is derived from the "TAPS" algorithm proposed in the paper "Connectionless Port Scan Detection on the Backbone" published by Sprint/Nextel and presented at the Malware workshop, held in conjunction with IPCCC, Phoenix, AZ, USA in April, 2006.

Vulnerability ProtectionDeep Security Agents running on Windows computers with browser applications may occasionally report false-positive reconnaissance scans due to residual traffic arriving from closed connections.