Re: Netscreen firewall and portscans?

["Richard Johnson" <rdump () river com>]

At 14:51 -0800 on 2/5/02, Tracy R Reed wrote:
> I think it's just lame IDS systems out there (possibly all Netscreen
> systems) giving false alarms. We have some webpages with lots of small
> graphics. My theory is that the IDS sees a flurry of packets going back to
> some system behind his firewall all at different port numbers in a short
> amount of time and flags it as a portscan regardless of whether SYN was
> set or not.



Bingo.  You have hit the nail on the head.  Port scan detectors are
sometimes fooled by multiple rapid tcp connections for ftp or http
downloads.

You'll also see the problem with real IDSes like NFR.  However, with those
you're more likely to have a sysadmin in charge who knows what's going on,
and who can tune the thresholds as appropriate for the network.  At the
very least, you'll have someone more level-headed than your average PC
troll, who might call you and ask why one of your Crays appears to be
port-scanning the new firewall at their DOE lab every hour at 11 minutes
past the hour. :-)

Sadly, given the level of knowledge of a typical "personal firewall" user,
and the rotten quality of the detection and alerting software that makes up
such products, you'll always see a large number of goober reports, also
known as IWPFRs (Idiot With Personal Firewall Reports).


> Anyone else have experience or heard of such false alarms?


We also get occasional threats of legal action from users of Netscreen,
Norton, and ZoneAlarm.

Those products are broken enough that return traffic requested by the
user's system is flagged (without details being made available, of course)
as a big hairy attack.

In particular, most of the seriously amusing reports come from users whose
personal firewalls issue false alarms regarding a widely-known and widely
used NTP server on our net.  After they attempt to sync their PC's clock,
they send us a report about how time.nist.gov "port scanned and flooded"
their entire network.

Yes, of course the "flood" is one packet per hour (or however often they
run their ntpdate equivalent), and the "scan" is always a single packet to
port 123.  But their personal firewall told them it was scary, so we should
stop it or they'll sue us.  <sigh>


> It is really annoying getting reports of portscans all the time because if
> we do someday get owned and someone scans we might ignore the report.


For that very reason, we don't ignore any reports, even if it takes time to
debunk the goobers.  For the really suspiciously gooberlike reports,
however, we have a boilerplate reply.  It tells the sender how to submit a
useful incident report (what kind of packet and flag data to include, how
timestamps need time zone information, how it's a good idea to avoid
threats and demands, etc.).  It also asks for a reply if our description of
the usual false alarms (Netscreen falses a lot on port scans and SYN
floods, ZoneAlarm has problems with NTP) doesn't seem to apply to their
situation.

If the reporter can't or won't give us details, we can only file it as a
possible.  We can at least watch for jumps in the number of reports.

Most replies we get are along the lines of "Oh, I feel so stupid, please
don't block my access."  So at least we're getting a small fraction of the
new goobers who join the net every day educated.

Of course, we're watching our network fairly closely ourselves for port
scan activity.  Network IDS systems (NFR, snort, etc.) and netflow logs
from our routers both give us a better picture than any outsider running a
personal firewall is likely to be able to provide.


Richard
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards