Question
How does Threat Intelligence block clients? Does a client get a TCP reset or is the request just silently dropped?
Environment
- Silverline Threat Intelligence
Answer
Threat Intelligence silently drops a client in a blocked category.
- When a client in a blocked category initiates the session with the proxy, the first packet (SYN) of that session is inspected and a decision made before completing the TCP handshake.
- This is a Layer 4 drop prior to any iRules or WAF policy.
Profiles allow tune which particular category should be blocked:
-
Anonymous Proxy
-
Botnets
-
Cloud Provider Networks
-
Denial of Service
-
Illegal Websites
-
Infected Sources
-
Phishing Proxies
-
SPAM Sources
-
Scanners
-
Web Attacks
-
Windows Exploits
For more details about the categories check out: What is Threat Intelligence? What Threat Categories are Supported?
In case some company is using Scanners to check websites - may be interested to unblock this particular category.
ZScaler
If ZScaler is categorised as a threat, you may want to disable temporary category. Bear in mind that this should be done very carefully as it may be categorised as "Windows Exploits".
# whois.arin.net
NetRange: 165.225.0.0 - 165.225.127.255
CIDR: 165.225.0.0/17
NetName: ZSCAL
NetHandle: NET-165-225-0-0-1
Parent: NET165 (NET-165-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS53813, AS55242, AS62907, AS22616, AS32921, AS40384, AS53444
Organization: ZSCALER, INC. (ZSCAL)
Related Content
- Threat Intelligence: Overview
- Threat Intelligence: Configuration
- How to Request Brightcloud to remove an IP being blocked by Threat Intelligence