TippingPoint Operation System (TOS) supports filters that are able to detect and/or block port scans and host sweeps. The following list depicts filters are referred to as scan/sweep filters:
- 7000: TCP: Port Scan
- 7001: UDP: Port Scan
- 7002: TCP: Host Sweep
- 7003: UDP: Host Sweep
- 7004: ICMP: Host Sweep
- 7016: ICMPv6: Host Sweep
The scan and sweep filters track the number of port scans and host sweep attempts from a single source IP address. These filters have threshold values that can be configured per Security Profile and per filter. The filter becomes active when the number of connection attempts from a source IP address exceeds the threshold. Host scans and port sweeps are blocked through the Quarantine feature. Scan and sweep filters only look at connections from traffic that undergoes IPS inspection. These filters ignore the following types of traffic:
- Blocked or trusted by a Traffic Management filter
- Trusted flow due to Trust as an Action
- Blocked or trusted by IP Reputation
- Matches an inspection-bypass rule
IMPORTANT: Prior to enabling the scan sweep filters in a block+notify action set, you should enable these filters in a permit+notify or trust+notify action set. This should be done as a precaution as a number of servers will actually trigger these filters (e.g. Proxy, DNS, and Mail). In this fashion, a determination can be made as to what servers will require filter exceptions once these filters are enabled. Once you have added the exceptions, you can then enable the filters as block+notify.