Follow

Q&A: How does Threat Intelligence block clients?

Question

How does Threat Intelligence block clients? Does a client get a TCP reset or is the request just silently dropped?

 

Environment

  • Silverline Threat Intelligence 

 

Answer

Threat Intelligence silently drops a client in a blocked category.

  • When a client in a blocked category initiates the session with the proxy, the first packet (SYN) of that session is inspected and a decision made before completing the TCP handshake.
  • This is a Layer 4 drop prior to any iRules or WAF policy.

Profiles allow tune which particular category should be blocked:

  •  Anonymous Proxy
  •  Botnets
  •  Cloud Provider Networks
  •  Denial of Service
  •  Illegal Websites
  •  Infected Sources
  •  Phishing Proxies
  •  SPAM Sources
  •  Scanners
  •  Web Attacks
  •  Windows Exploits
For more details about the categories check out: What is Threat Intelligence? What Threat Categories are Supported?
 
 
In case some company is using Scanners to check websites - may be interested to unblock this particular category.

 

ZScaler

If ZScaler is categorised as a threat, you may want to disable temporary category. Bear in mind that this should be done very carefully as it may be categorised as "Windows Exploits".

# whois.arin.net

NetRange: 165.225.0.0 - 165.225.127.255
CIDR: 165.225.0.0/17
NetName: ZSCAL
NetHandle: NET-165-225-0-0-1
Parent: NET165 (NET-165-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS53813, AS55242, AS62907, AS22616, AS32921, AS40384, AS53444
Organization: ZSCALER, INC. (ZSCAL)

 

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request