What are the Threat IDs for Scan and Flood associated with Zone Protection?

What are the Threat IDs for Scan and Flood associated with Zone Protection?

39313
Created On 04/22/20 19:47 PM - Last Modified 08/24/23 14:19 PM


Question


What are the Threat IDs for Scan and Flood protection associated with Zone Protection?

Environment


All PAN-OS >8.1.0

Answer


List of active threat IDs for scan and flood associated with Zone Protection.
The entire threat ID allotted ranges are 8500-8599 and 8000-8099.
  • Threat-ID 8501 (TCP Flood)
  This event detects a TCP flood event.
        TCP flood also known as "SYN Flood" which is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system.
  • Threat-ID 8502 (UDP Flood)
        This event detects a UDP flood.  A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol
        (UDP), a session-less computer networking protocol.
        Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a
        UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the
        distant host will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The
        attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach the attacker, and anonymizing the attacker's network location(s).
  • Threat-ID 8503 (ICMP Flood)
        Detects an ICMP flood. ICMP Flood is a simple Denial of service attack where the
        attacker overwhelms the victim with ICMP packets. It only succeeds if the attacker has more bandwidth than
        the victim (for instance an attacker with a DSL line and the victim on a dial-up modem).
        The attacker hopes that the victim will respond with ICMP packets, thus consuming outgoing bandwidth as              well as incoming server bandwidth.
  • Threat-ID 8504 (Other IP Flood)
        This event detects the use of other IP (non TCP,UDP or ICMP) packets for flooding attacks.
  • Threat-ID 8505 (SCTP INIT Flood)
        This event detects an ICMPv6 flood. ICMPv6 Flood is a simple Denial of service attack where the
        attacker overwhelms the victim with ICMPv6 packets. It only succeeds if the attacker has more bandwidth               than the victim (for instance an attacker with a DSL line and the victim on a dial-up modem). The attacker               hopes that the victim will respond with ICMPv6 packets, thus consuming outgoing bandwidth as well as                   incoming server bandwidth.
  • Threat-ID 8506 (SCTP INIT Flood- Flood SCTP INIT control chunk has been received (different connections)
  • Threat-ID 8507  (PBP Packet Drop) - Packet buffer protection enforcing RED packet drop.
  • Threat-ID 8508  (PBP Session Discarded) - Packet buffer protection enforcing session discard.
  • Threat-ID 8509  (PBP IP Blocked) - Packet buffer protection enforcing source IP block.
  • Threat-ID 8510-99 - This signature detects port scanning, configurable in the zone protection profile. 
  • Threat-ID 8000 - This signature detects port scanning, configurable in the zone protection profile. 
  • Threat-ID 8001 (SCAN: TCP Port Scan) - This event detects a TCP port scan.
  • Threat-ID 8002  (SCAN: Host Sweep) - This event detects a host sweep.
  • Threat-ID 8003  (SCAN: UDP Port Scan) - This event detects a UDP port scan.
  • Threat-ID 8004-99 - This signature detects port scanning, configurable in the zone protection profile

Additional Information


  • Threat-ID 8510-99 and Threat-ID 8004-99 are not defined yet.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPklCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language