Limit number of tries on a certain port

nielsscheldeman
nielsscheldeman Posts: 51  Ally Member
First Comment Friend Collector Second Anniversary

Could it be possible to limit the tries from a certain IP to a portforward on FLEX series? For example someone that sends a DOS to an opened port, that if he tries 5 times in a short amount of time, that he is blocked for 1 hour.

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,251  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi @nielsscheldeman

    You could configure the block period to 3600 seconds on the ADP profile, as below:

    Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

All Replies

  • PeterUK
    PeterUK Posts: 3,461  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 2023

    This will be a ADP thing there is a TCP portscan option then block for a max of 3600 seconds but I'm not sure how many ports need to trigger it plus it would really only work on ports not open so say you have port 443 open and a scan happens with 53,80,443,8080, 3389, 5000 if the sensitivity is 5 ports that are not open happen then it block the IP from even getting to 443. but like I said don't know how Zyxel have set that up.

    or for a open port like TCP if you get a lot of SYN to which you send SYN, ACK but you never see a ACK then added ADP option could block the IP BUT heres the thing a DoS can have a fake source IP meaning if a attack by IP 2.0.0.1 send many DoS to you with fake source IP then this can block real sends of them source IP's

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,251  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary
    Answer ✓

    Hi @nielsscheldeman

    You could configure the block period to 3600 seconds on the ADP profile, as below:

    Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

    Thanks.


    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community