Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: "Richard Johnson" <rdump () river com>
Date: Thu, 7 Feb 2002 00:39:52 -0700
At 14:51 -0800 on 2/5/02, Tracy R Reed wrote:
I think it's just lame IDS systems out there (possibly all Netscreen systems) giving false alarms. We have some webpages with lots of small graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not.
Bingo. You have hit the nail on the head. Port scan detectors are sometimes fooled by multiple rapid tcp connections for ftp or http downloads. You'll also see the problem with real IDSes like NFR. However, with those you're more likely to have a sysadmin in charge who knows what's going on, and who can tune the thresholds as appropriate for the network. At the very least, you'll have someone more level-headed than your average PC troll, who might call you and ask why one of your Crays appears to be port-scanning the new firewall at their DOE lab every hour at 11 minutes past the hour. :-) Sadly, given the level of knowledge of a typical "personal firewall" user, and the rotten quality of the detection and alerting software that makes up such products, you'll always see a large number of goober reports, also known as IWPFRs (Idiot With Personal Firewall Reports).
Anyone else have experience or heard of such false alarms?
We also get occasional threats of legal action from users of Netscreen, Norton, and ZoneAlarm. Those products are broken enough that return traffic requested by the user's system is flagged (without details being made available, of course) as a big hairy attack. In particular, most of the seriously amusing reports come from users whose personal firewalls issue false alarms regarding a widely-known and widely used NTP server on our net. After they attempt to sync their PC's clock, they send us a report about how time.nist.gov "port scanned and flooded" their entire network. Yes, of course the "flood" is one packet per hour (or however often they run their ntpdate equivalent), and the "scan" is always a single packet to port 123. But their personal firewall told them it was scary, so we should stop it or they'll sue us. <sigh>
It is really annoying getting reports of portscans all the time because if we do someday get owned and someone scans we might ignore the report.
For that very reason, we don't ignore any reports, even if it takes time to debunk the goobers. For the really suspiciously gooberlike reports, however, we have a boilerplate reply. It tells the sender how to submit a useful incident report (what kind of packet and flag data to include, how timestamps need time zone information, how it's a good idea to avoid threats and demands, etc.). It also asks for a reply if our description of the usual false alarms (Netscreen falses a lot on port scans and SYN floods, ZoneAlarm has problems with NTP) doesn't seem to apply to their situation. If the reporter can't or won't give us details, we can only file it as a possible. We can at least watch for jumps in the number of reports. Most replies we get are along the lines of "Oh, I feel so stupid, please don't block my access." So at least we're getting a small fraction of the new goobers who join the net every day educated. Of course, we're watching our network fairly closely ourselves for port scan activity. Network IDS systems (NFR, snort, etc.) and netflow logs from our routers both give us a better picture than any outsider running a personal firewall is likely to be able to provide. Richard _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)