Firewall Wizards mailing list archives
RE: Netscreen firewall and portscans?
From: Christopher Lee <complexity () bigfoot com>
Date: Wed, 6 Feb 2002 17:35:24 -0500
Tracy, Just curious, is the BigIP tries to locd balance base on the source of the traffic?? These port scans reported could be the result of the firewall reacting to the Load Balancer trying to determine the "distance" to the source of the traffic. I am not familiar with BigIP, but some other LB products out there tries to determine the distance by sending packets to certain ports on certain hosts on the source network. This probing can be directed at the NS record, the MX record or even merely at the origin of the traffic... What might have set off the portscan alert is probably because most of the LB will try one port after another until it eventually gives up or it receives a ICMP-Dest-Unreachable/ICMP-Port-Unreachable/a real response. This type of "port hopping" behaviour will and should set off IDS alerts... You should place a simple sniffer in front of your BigIP box and find out if it's initiating connections to other networks... Regards, p/s, NetScren is not an IDS (per se). It's firewall appliance that has basic IDS features built in... Christopher Lee PGP Fingerprint: 15C1 65D0 E051 C64D 5246 89FC 5AE3 DE2C 8F1E 89A7 Personal Web Page: http://complexity.webhop.net Quoting Michael Walter <mwalter () wholehealthnet com>:
Hey Tracy, Just a quick note on your message: You seem to make the assumption that SYN scanning is the only method of port scanning. There are actually several methods of doing a port scan without sending syn flags. I'd recommend http://www.insecure.org/nmap/nmap_doc.html for some interesting reading on the subject. Michael J. Walter RHCE, MCDBA, MCSE, CCNA, CCA, A+ Network Administrator Whole Health Management Inc. Phone: 216.921.8601 x49 Mail: 20600 Chagrin Blvd., Suite 1000 Cleveland, OH 44122 -----Original Message----- From: Tracy R Reed [mailto:treed () ultraviolet org] Sent: Tuesday, February 05, 2002 5:51 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Netscreen firewall and portscans? I keep getting emails from people saying we are port scanning their system. Averaging one a day but it varies. We have checked and double checked just to make sure we aren't owned and we definitely are not. The alleged scans are coming from virtual interfaces on our BigIP F5 load balancing systems. The reports are almost always without logs and what logs there are don't provide any info about the packet, whether it was a SYN, what the payload was, etc. Just that it was a TCP packet from our machine to their firewall. I finally replied to one of the reports and asked what software he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I suggested that it wasn't a port scan at all but I couldn't be sure unless I know what flags were on the packets and what the size and payload of the packet was. The user avoided anything to do with the technical aspects of TCP such as flags on packets etc. I suspect he has no clue what I am talking about. His position is that the IDS said we were portscanning so goshdarnit we must be portscanning his machine! I have a feeling that a lot of these reports come from people in similar positions. I think it's just lame IDS systems out there (possibly all Netscreen systems) giving false alarms. We have some webpages with lots of small graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms? It is really annoying getting reports of portscans all the time because if we do someday get owned and someone scans we might ignore the report. -- Tracy Reed http://www.ultraviolet.org "She moves in mysterious ways" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)