Enhanced DoS Prevention for Port Scanning

Options
Zyxel_Claudia
Zyxel_Claudia Posts: 194 image  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited November 14 in Other Topics

USG FLEX H Series Firewall has enhanced the DoS (Denial of Service) Prevention feature in its latest firmware, specifically improving the way the firewall handles port scanning attacks. These adjustments help reduce CPU load.

What Is DoS Port Scanning Protection?

Port scanning is a technique often used by attackers to discover open ports on a firewall or device for potential exploitation.

The DoS Port Scanning Protection feature detects and blocks these scanning attempts, preventing excessive traffic from overloading your firewall

Old vs. New Behavior

Previous Behavior (Before Firmware Update)

  • Traffic targeting the firewall itself (e.g., port scan attempts) was first evaluated by the Policy Control rules, then by DoS Prevention.
  • As a result:
    • Most scan attempts were dropped by default deny rules.
    • All traffic still entered the kernel, creating CPU overhead.
    • Logs were unnecessarily generated, causing additional CPU overhead.

New Behavior (After Firmware Update)

  • Revised traffic flow for inbound port scan traffic:
    • Traffic targeting the firewall itself is now evaluated by DoS Prevention first, before Policy Control.
    • If flagged as a scan, the source IP is blacklisted immediately.
    • Traffic is blocked before reaching the kernel, saving CPU cycles.
    • No unnecessary logs are generated from default deny rules.

Why LAN to ANY Traffic Is Not Affected

Traffic from LAN to Any has same order and behavior

  • Traffic targeting the any zone (e.g., LAN1 to LAN2) was first evaluated by the Policy Control rules, then by DoS Prevention
  • Most traffic from LAN to any IP address generally hits the allow LAN Outgoing rule which does not generate logs by default

How to Monitor DoS Blocked IPs

You can now check and manage blacklisted IPs with new CLI commands:

Show Blocked IPs

usgflex200hp> show dos-prevention-block-list

image.png

Clear a Specific IP

usgflex200hp> cmd dos-prevention-block-list clear ip 192.168.169.33

image.png

Clear All Blocked IPs

usgflex200hp> cmd dos-prevention-block-list clear all

image.png

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)