Warning: Reconnaissance Detected
The reconnaissance scan detection feature serves as an early warning of a potential attack or intelligence gathering effort against a network.
Types of reconnaissance scans
Deep Security can detect several types of reconnaissance scans:
- Computer OS Fingerprint Probe: The agent or appliance detects an attempt to discover the computer's OS.
- Network or Port Scan: The agent or appliance reports a network or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally, an agent or appliance computer will only see traffic destined for itself, so a port scan is the most common type of probe that will be detected. The statistical analysis method used in computer or port scan detection is derived from the "TAPS" algorithm proposed in the paper "Connectionless Port Scan Detection on the Backbone" presented at IPCCC in 2006.
- TCP Null Scan: The agent or appliance detects packages with no flags set.
- TCP SYNFIN Scan: The agent or appliance detects packets with only the SYN and FIN flags set.
- TCP Xmas Scan: The agent or appliance detects packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).
Suggested actions
When you receive a Reconnaissance Detected alert, double-click it to display more detailed information, including the IP address that is performing the scan. Then, you can try one of these suggested actions:
- The alert may be caused by a scan that is not malicious. If the IP address listed in the alert is known to you and the traffic is okay, you can add the IP address to the reconnaissance allow list:
- In the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Firewall > Reconnaissance.
- The Do not perform detection on traffic coming from list should contain a list name. If a list name hasn't already been specified, select one.
- You can edit the list by going to Policies > Common Objects > Lists > IP Lists. Double-click the list you want to edit and add the IP address.
- You can instruct the agents and appliances to block traffic from the source IP for a period of time. To set the number of minutes, open the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details)., go to Firewall > Reconnaissance and change the Block Traffic value for the appropriate scan type.
- You can use a firewall or Security Group to block the incoming IP address.
Deep Security Manager does not automatically clear the "Reconnaissance Detected" alerts, but you can manually clear the issue from Deep Security Manager.
For more information on reconnaissance scans, see Firewall settings.