cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Hello,

I am trying to find out how to setup blocking of an attack that triggers the block based on the number of hits from a particular IP. I would also like to block the attack for a period of time; say 24hrs and then unblock that IP after this predefined time period.

Is this possible?

I have read that RFSB can be enabled, but it looks permanent. Also does reset TCP work to block for a period of time or is that permanent as well. The configuration screen for this setting (edit of the attack name in the policy) does not seem to have any time length setting to this either.

Thank you for any response in advance.

1 Solution

Accepted Solutions
Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Unfortunately there isn't a way to do that.  You can create a Recon attack for a "brute force" for each signature, but there's not a 'wider' view of attack responses.

That would be a good feature request which you can submit at https://mcafee.acceptondemand.com/

View solution in original post

5 Replies
Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

The feature you are looking for is IPS Quarantine.

If you were to block the attack, it's only going to block the specific traffic that matches the signature.

The Quarantine feature will block all traffic from the host for a period of time.  The available time periods are 5 minutes to 60 minutes.

If you want it to require triggering a number of times first you can create a Reconnaissance Attack that can be configured as a "Brute Force" correlation to require a count of attcks in a time interval before triggering.

After creating the Reconn attack, go into the policy editor and enable Quarantine for the attack.

Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Thanks gfergus1. I had just found the quarantine info after poking around waiting for a reply, but how to setup the "brute force" correlation I would have fumbled over without your help.

Great response!

Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

I will try to further define my requirement. Sorry for the lack of correct wording, but I will give it a try.

I understand what gfergus1 is saying and I think he is answering my next question when he said "If you were to block the attack, it's only going to block the specific traffic that matches the signature", but I will give it a shot.

Is there anyway to enable quarantine for any attack that comes from a single IP for x number of times over x time period, signature independant. I am trying to auotmate the process as much as possible. It would be nice if it would quarantine for say 1 hr when the number of attacks over a given period of time triggers the quarantine rather than having to create reconn attack for every count I see high for a particular signature from a particular IP address.

Does that help to further define my query?

Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Unfortunately there isn't a way to do that.  You can create a Recon attack for a "brute force" for each signature, but there's not a 'wider' view of attack responses.

That would be a good feature request which you can submit at https://mcafee.acceptondemand.com/

View solution in original post

Highlighted

Re: Blocking attacks based on number of attacks from a single source for 24 hrs instead of permanent RFSB

Jump to solution

Thank you for the info Gfergus1.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community