Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: "Boni Bruno" <bbruno () dsw net>
Date: Wed, 06 Feb 2002 11:34:51 -0800
Netscreen itself is primarily a firewall with some Firewall Protection settings and a nice malicious URL detection feature, but in no way is it an advanced intrusion detection system. The firewall protection features are as follows: Detect SYN Attacks, ICMP Flood, UDP Flood, Ping of Death, WinNuke, Detect Port Scan, Land Attack, TearDrop, Source Route Packets, Detect Address Sweep Attacks, and IP Spoofing. The SYN Attacks, ICMP & UDP Flood have configurable threshold which if set to low can produce false positives. This may be the problem with the client trying to contact you. However, they have to produce a log to merit any attention.... The Port Scan Detection feature is only triggered if a given source address attempts quick connections to multiple ports on the destination network the firewall is protecting. This is not a common characteristic for any web server, even if its behind BIGIP. I have seen some load balances utilizing virtual IPs trigger SYN attacks due to not acknowledging SYN packets correctly, but never triggering a PORT SCAN attack. I suspect the remote Netscreen firewall may be complaining about a SYN attack rather than a Port Scan. Again, without a log, the end user can not be taken seriously. Regards, -boni bruno
Date: Tue, 5 Feb 2002 14:51:08 -0800 From: Tracy R Reed <treed () ultraviolet org> To: firewall-wizards () nfr com Subject: [fw-wiz] Netscreen firewall and portscans? --hOcCNbCCxyk/YU74 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I keep getting emails from people saying we are port scanning their system. Averaging one a day but it varies. We have checked and double checked just to make sure we aren't owned and we definitely are not. The alleged scans are coming from virtual interfaces on our BigIP F5 load balancing systems. The reports are almost always without logs and what logs there are don't provide any info about the packet, whether it was a SYN, what the payload was, etc. Just that it was a TCP packet from our machine to their firewall. I finally replied to one of the reports and asked what software he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I suggested that it wasn't a port scan at all but I couldn't be sure unless I know what flags were on the packets and what the size and payload of the packet was. The user avoided anything to do with the technical aspects of TCP such as flags on packets etc. I suspect he has no clue what I am talking about. His position is that the IDS said we were portscanning so goshdarnit we must be portscanning his machine! I have a feeling that a lot of these reports come from people in similar positions. I think it's just lame IDS systems out there (possibly all Netscreen systems) giving false alarms. We have some webpages with lots of small graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms? It is really annoying getting reports of portscans all the time because if we do someday get owned and someone scans we might ignore the report. --=20 Tracy Reed http://www.ultraviolet.org "She moves in mysterious ways" --hOcCNbCCxyk/YU74 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjxgYdsACgkQ9PIYKZYVAq1xewCeNptI/lagzF/SMRZkuO2NGX1g obwAn1GAz6gSv44w7Lhk1v+xWcHWk0rG =nidA -----END PGP SIGNATURE----- --hOcCNbCCxyk/YU74-- --__--__-- Message: 3 Date: Wed, 6 Feb 2002 01:54:19 -0500 (EST) From: "R. DuFresne" <dufresne () sysinfo com> To: Tracy R Reed <treed () ultraviolet org> Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Netscreen firewall and portscans? Organization: sysinfo.com The care and feeding of an IDS is a very overlooked issue with many sites that enable them, and most place these beasts on the external side and leave default settings in place such that they tend to be worthless alarms that wake their admins in the wee morning hours with meaningless crap for sure. It's been an area of discussion on this list, and not too long ago. Folks issuing complaints without supplying logs and timestamps of the suspected intrusions should in most cases just be sent to /dev/null. Often these are coming from sites that outsource their peimiter access to an MSSP with undertrained and unskilled staff lacking the ability to tame those IDS beasts they manage, let alone safely manage the rulebases for the fw-1 systems they are maintaining for their clients. The main point is thugh, how can you be expected to investigate such an issue without some documented logging information to campare with your systems logs and their associated timestamps? Thanks, Ron DuFresne On Tue, 5 Feb 2002, Tracy R Reed wrote:I keep getting emails from people saying we are port scanning their system. Averaging one a day but it varies. We have checked and double checked just to make sure we aren't owned and we definitely are not. The alleged scans are coming from virtual interfaces on our BigIP F5 load balancing systems. The reports are almost always without logs and what logs there are don't provide any info about the packet, whether it was a SYN, what the payload was, etc. Just that it was a TCP packet from our machine to their firewall. I finally replied to one of the reports and asked what software he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I suggested that it wasn't a port scan at all but I couldn't be sure unless I know what flags were on the packets and what the size and payload of the packet was. The user avoided anything to do with the technical aspects of TCP such as flags on packets etc. I suspect he has no clue what I am talking about. His position is that the IDS said we were portscanning so goshdarnit we must be portscanning his machine! I have a feeling that a lot of these reports come from people in similar positions. I think it's just lame IDS systems out there (possibly all Netscreen systems) giving false alarms. We have some webpages with lots of small graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms? It is really annoying getting reports of portscans all the time because if we do someday get owned and someone scans we might ignore the report.-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --__--__-- Message: 4 Date: Wed, 06 Feb 2002 09:24:32 +0100 From: Pierre-Yves Bonnetain <bonnetain () acm org> Reply-To: bonnetain () acm org Organization: B&A Consultants To: firewall-wizards () nfr com Subject: [fw-wiz] URL filtering Hello, I am currently setting up a reverse proxy to protect some web servers. Proxy is based on Apache/mod_proxy/mod_rewrite. I want to do URL filtering _and_ script args filtering too. URL filtering seems no big deal with mod_rewrite, just a matter to get the proper list and regular expressions and put them into mod_rewrite syntax. But as script args is concerned... it's another matter (or I haven't understood all the doc :-). Has anyone of you done stg similar ? Do you have any pointer where I may find more data ? Thanks, Cheers, -- Pierre-Yves Bonnetain Consultant Sécurité -- B&A Consultants Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245 --__--__-- Message: 5 Date: Wed, 06 Feb 2002 09:50:30 +0100 From: Pierre-Yves Bonnetain <bonnetain () acm org> Reply-To: bonnetain () acm org Organization: B&A Consultants To: Tracy R Reed <treed () ultraviolet org> Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Netscreen firewall and portscans? Tracy R Reed wrote:graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms?Yes. I've had something similar with an overly sensitive ISS RealSecure. It was triggering alarms about _outgoing_ scans from one of our nets, when some people where surfing on small-images-heavy sites. Quite the same symptom as what you describe : a flurry of TCP connexions, an alarm-triggering level set far too low... and red lights all over the place. This has been solved by 'intelligently' bumping up the level above which the IDS triggers some alarms (for floods, scans and the like). It took some doing. We did not want to review all alarms one by one (time consuming), so each and every time we got 'too many' alerts we investigated to check if it was a false-positive and, if so, straightened it (not too much, though; just to avoid having red lights whenever someone goes surfing). Hth, -- Pierre-Yves Bonnetain Consultant Sécurité -- B&A Consultants Tél +33 (0) 563 277 241 -- Fax +33 (0) 563 277 245 --__--__-- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)