This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JasMan
Contributor
yesterday

NMAP scan and CPAS

Hi folks,

During a penetration test in our network a Nmap scan on port 80 for a complete /16 subnet was started. The source IP address was allowed to reach each IP address and excluded from the most inspections. But during the scan the load of the firewall reached 99% and the traffic flow nearly stopped.

Our service provider was not able to identify the reason. From my analyses later that day it happened due to CPAS (https://support.checkpoint.com/results/sk/sk179804).

CPAS act as a responder for HTTP requests and do a 3-way-handshake for each requested IP address, regardless if the address is online or not. It keeps sessions to offline IP addresses for 30 seconds open.

That means an aggressive Nmap scan would cause a lot of parallel new connections and a high load on the firewall until it stops working.

Is this an expected behaviour? Is it possible to reduce the 30 seconds for each connection or which is the suggested value? Any other suggestions to prevent such an issue?

Thank you.

Jas Man

Labels
0 Kudos
6 Replies
Lesley
Leader Leader
Leader
yesterday

This SK's will maybe help you out:

https://support.checkpoint.com/results/sk/sk110873

This one is mostly about DDOS but it also speaks regarding port scans

https://support.checkpoint.com/results/sk/sk112241

-------
If you like this post please give a thumbs up(kudo)! 🙂
JasMan
Contributor
yesterday
In response to Lesley

The second SK is very interessting. I'll check. Thx.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday

Using NMAP to aggressively scan the own network (best done from inside!) is an old joke that never seems to die... So this is expected behaviour.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JasMan
Contributor
yesterday
In response to G_W_Albrecht

They wanted to identify unknown systems in our network which listen to http and other "bad services". I would say it's a justified action. 😇

0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to JasMan

So you should configure it not as an aggressive NMAP scan, but to proceed only very slowly and carefully !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JasMan
Contributor
yesterday
In response to G_W_Albrecht

Yup, that's true. Good point!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events