Limit number of tries on a certain port

nielsscheldeman

Could it be possible to limit the tries from a certain IP to a portforward on FLEX series? For example someone that sends a DOS to an opened port, that if he tries 5 times in a short amount of time, that he is blocked for 1 hour.

Zyxel_Jeff

Hi @nielsscheldeman

You could configure the block period to 3600 seconds on the ADP profile, as below:

Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

Thanks.

PeterUK

This will be a ADP thing there is a TCP portscan option then block for a max of 3600 seconds but I'm not sure how many ports need to trigger it plus it would really only work on ports not open so say you have port 443 open and a scan happens with 53,80,443,8080, 3389, 5000 if the sensitivity is 5 ports that are not open happen then it block the IP from even getting to 443. but like I said don't know how Zyxel have set that up.

or for a open port like TCP if you get a lot of SYN to which you send SYN, ACK but you never see a ACK then added ADP option could block the IP BUT heres the thing a DoS can have a fake source IP meaning if a attack by IP 2.0.0.1 send many DoS to you with fake source IP then this can block real sends of them source IP's

Zyxel_Jeff

Hi @nielsscheldeman

You could configure the block period to 3600 seconds on the ADP profile, as below:

Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

Thanks.