"port flood" treated as "port scan" resulting in blocks
-
Domineaux
- Junior Member
- Posts: 18
- Joined: 19 Sep 2007, 23:42
- Location: Houston, TX USA (Earth)
- Contact:
"port flood" treated as "port scan" resulting in blocks
I have found that it a users IP gets throttled by the PORTFLOOD limit, it is logged as *Port Flood* but LFD seeing 11 of them (one more than the defined PS_LIMIT of 10) will result in LFD adding a temporary deny against the IP for "*Port Scan* detected".
-
ForumAdmin
- Moderator
- Posts: 1531
- Joined: 01 Oct 2008, 09:24
Re: "port flood" treated as "port scan" resulting in blocks
That is the intended functionality. If you do not want to block particular ports remove them from the PS_PORTS list.
-
Domineaux
- Junior Member
- Posts: 18
- Joined: 19 Sep 2007, 23:42
- Location: Houston, TX USA (Earth)
- Contact:
Re: "port flood" treated as "port scan" resulting in blocks
Thank you for the work around but are you sure that this is really the intended functionality instead of a byproduct of the way the logs are searched? Seems like the "Port Flood" log entries were a good idea so we could tell if someone was getting throttled but the "Port Scan" function is just checking for any blocked packet logs and indiscriminately judged them as a port scan for a temporary deny.