cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Hello,

I am trying to find out how to setup blocking of an attack that triggers the block based on the number of hits from a particular IP. I would also like to block the attack for a period of time; say 24hrs and then unblock that IP after this predefined time period.

Is this possible?

I have read that RFSB can be enabled, but it looks permanent. Also does reset TCP work to block for a period of time or is that permanent as well. The configuration screen for this setting (edit of the attack name in the policy) does not seem to have any time length setting to this either.

Thank you for any response in advance.

1 Solution

Accepted Solutions

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Unfortunately there isn't a way to do that.  You can create a Recon attack for a "brute force" for each signature, but there's not a 'wider' view of attack responses.

That would be a good feature request which you can submit at https://mcafee.acceptondemand.com/

5 Replies

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

The feature you are looking for is IPS Quarantine.

If you were to block the attack, it's only going to block the specific traffic that matches the signature.

The Quarantine feature will block all traffic from the host for a period of time.  The available time periods are 5 minutes to 60 minutes.

If you want it to require triggering a number of times first you can create a Reconnaissance Attack that can be configured as a "Brute Force" correlation to require a count of attcks in a time interval before triggering.

After creating the Reconn attack, go into the policy editor and enable Quarantine for the attack.

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Thanks gfergus1. I had just found the quarantine info after poking around waiting for a reply, but how to setup the "brute force" correlation I would have fumbled over without your help.

Great response!

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

I will try to further define my requirement. Sorry for the lack of correct wording, but I will give it a try.

I understand what gfergus1 is saying and I think he is answering my next question when he said "If you were to block the attack, it's only going to block the specific traffic that matches the signature", but I will give it a shot.

Is there anyway to enable quarantine for any attack that comes from a single IP for x number of times over x time period, signature independant. I am trying to auotmate the process as much as possible. It would be nice if it would quarantine for say 1 hr when the number of attacks over a given period of time triggers the quarantine rather than having to create reconn attack for every count I see high for a particular signature from a particular IP address.

Does that help to further define my query?

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Unfortunately there isn't a way to do that.  You can create a Recon attack for a "brute force" for each signature, but there's not a 'wider' view of attack responses.

That would be a good feature request which you can submit at https://mcafee.acceptondemand.com/

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Thank you for the info Gfergus1.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community