PaloAlto – Reconnaissance Attack
What’s a Reconnaissance Attack?
To put it in simple terms, a reconnaissance attack can be an attempt to gain information about your network. An intruder will try to scan your network for vulnerabilities via external means. This can be done via port scanners and websites intended to find vulnerabilities. Therefore, we have our fancy PaloAlto to help us with their built in IPS / IDS. As they call it Threat prevention, Zone Protection Profiles and DoS Protection Profiles.
The term reconnaissance comes from the military. This was the process of obtaining information from the enemy and returning the information to headquarters to use it against them.
In our field we see a reconnaissance attack by scanning static IP addresses, random IP address scanning, and stealth scanning. From my experience, attackers are preforming a passive reconnaissance attacks to seek information. Attacker later add the information to database. Once they find a vulnerability, they go to their database and see who has the weakness and then attack from there.
A good example: white hat database:
Shodan - is a search engine for public devices.
Today we will create a Zone Protection. A Zone Protection will protect the entire zone from passive scanners coming from an external interface. DoS profiles can also be used to protect individual server.
The term reconnaissance comes from the military. This was the process of obtaining information from the enemy and returning the information to headquarters to use it against them.
In our field we see a reconnaissance attack by scanning static IP addresses, random IP address scanning, and stealth scanning. From my experience, attackers are preforming a passive reconnaissance attacks to seek information. Attacker later add the information to database. Once they find a vulnerability, they go to their database and see who has the weakness and then attack from there.
A good example: white hat database:
Shodan - is a search engine for public devices.
Today we will create a Zone Protection. A Zone Protection will protect the entire zone from passive scanners coming from an external interface. DoS profiles can also be used to protect individual server.
Step 1:
Create a Zone Protection Profile
Network > Network Profile > Zone Protection > ADD
Create your new
Profile and enable all the settings. Leave the defaults for now.
Click on Reconnaissance
Protection Tab:
Action will be block:
This will drop all packets for the specified Duration.
Make your threshold something lower than the default which
is 100.
So, if 30 port scans occur within your interval of 10
seconds the block action will be in effect.
Move to the next Tab:
Packet Based Attack Protection.
Spoofed IP address: Will drop
packets that have a spoofed IP address.
Fragmented Traffic: Drops
Fragmented Packets. Can help with Buffer overflow Attacks. You will have to
test if your using jumbo frames in your network. It might drop them.
IP Options Drop:
Strict Source Routing: IP header
has been modified with a different route added by the attacker.
Loose Source Routing: IP header has been modified with more hops a packet
must travel.
This will protect you from an
Inturder trying to move into a network that is normally not accessable via
normal routes.
Step 2:
Click on Networks > Zones > The Zone you like to
protect.
Let’s Test:
Install ZenMap from NMAP.org and follow my example:
As you can see, our Zone Protection profile is working now.
We are dropping the packets. You can play with your settings if you like.
Go to Monitor > Logs > Threats
Note:
I recommend you make a new profile for every zone. This
allows you to modify the protection per zone, allowing for granular control.
Play with it and have fun.
Thank you
AzNetAdmin