Limit number of tries on a certain port

Options
nielsscheldeman
nielsscheldeman Posts: 33  Freshman Member
First Anniversary 10 Comments Friend Collector

Could it be possible to limit the tries from a certain IP to a portforward on FLEX series? For example someone that sends a DOS to an opened port, that if he tries 5 times in a short amount of time, that he is blocked for 1 hour.

Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @nielsscheldeman

    You could configure the block period to 3600 seconds on the ADP profile, as below:

    Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

    Thanks.

All Replies

  • PeterUK
    PeterUK Posts: 2,723  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2023
    Options

    This will be a ADP thing there is a TCP portscan option then block for a max of 3600 seconds but I'm not sure how many ports need to trigger it plus it would really only work on ports not open so say you have port 443 open and a scan happens with 53,80,443,8080, 3389, 5000 if the sensitivity is 5 ports that are not open happen then it block the IP from even getting to 443. but like I said don't know how Zyxel have set that up.

    or for a open port like TCP if you get a lot of SYN to which you send SYN, ACK but you never see a ACK then added ADP option could block the IP BUT heres the thing a DoS can have a fake source IP meaning if a attack by IP 2.0.0.1 send many DoS to you with fake source IP then this can block real sends of them source IP's

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,066  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    Options

    Hi @nielsscheldeman

    You could configure the block period to 3600 seconds on the ADP profile, as below:

    Additionally, please refer to the below description of Block Period: "Specify for how many seconds the Zyxel Device blocks all packets from being sent to the victim (destination) of a detected anomaly attack. Flood Detection applies blocking to the destination IP address and Scan Detection applies blocking to the source IP address."

    Thanks.

Security Highlight