Warning: Reconnaissance Detected

The reconnaissance scan detection feature serves as an early warning of a potential attack or intelligence gathering effort against a network.

Types of reconnaissance scans

Workload Security can detect several types of reconnaissance scans:

  • Computer OS Fingerprint Probe: The agent detects an attempt to discover the computer's OS.
  • Network or Port Scan: The agent reports a network or port scan if it detects that a remote IP is visiting an abnormal ratio of IPs to ports. Normally, an agent computer will only see traffic destined for itself, so a port scan is the most common type of probe that will be detected. The statistical analysis method used in computer or port scan detection is derived from the "TAPS" algorithm proposed in the paper "Connectionless Port Scan Detection on the Backbone" presented at IPCCC in 2006.
  • TCP Null Scan: The agent detects packages with no flags set.
  • TCP SYNFIN Scan: The agent detects packets with only the SYN and FIN flags set.
  • TCP Xmas Scan: The agent detects packets with only the FIN, URG, and PSH flags set or a value of 0xFF (every possible flag set).

Suggested actions

When you receive a Reconnaissance Detected alert, double-click it to display more detailed information, including the IP address that is performing the scan. Then, you can try one of these suggested actions:

  • The alert may be caused by a scan that is not malicious. If the IP address listed in the alert is known to you and the traffic is okay, you can add the IP address to the reconnaissance white list:
    1. In the Computer or Policy editor, go to Firewall > Reconnaissance.
    2. The Do not perform detection on traffic coming from list should contain a list name. If a list name hasn't already been specified, select one.
    3. You can edit the list by going to Policies > Common Objects > Lists > IP Lists. Double-click the list you want to edit and add the IP address.
  • You can instruct the agents and appliances to block traffic from the source IP for a period of time. To set the number of minutes, open the Computer or Policy editor, go to Firewall > Reconnaissance and change the Block Traffic value for the appropriate scan type.
  • You can use a firewall or Security Group to block the incoming IP address.

Workload Security does not automatically clear the "Reconnaissance Detected" alerts, but you can manually clear the issue from Workload Security.

For more information on reconnaissance scans, see Firewall settings.