Netscreen firewall and portscans?

[Tracy R Reed <treed () ultraviolet org>]

I keep getting emails from people saying we are port scanning their
system. Averaging one a day but it varies. We have checked and double
checked just to make sure we aren't owned and we definitely are not. The
alleged scans are coming from virtual interfaces on our BigIP F5 load
balancing systems.

The reports are almost always without logs and what logs there are don't
provide any info about the packet, whether it was a SYN, what the payload
was, etc. Just that it was a TCP packet from our machine to their
firewall. I finally replied to one of the reports and asked what software
he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I
suggested that it wasn't a port scan at all but I couldn't be sure unless
I know what flags were on the packets and what the size and payload of the
packet was. The user avoided anything to do with the technical aspects of
TCP such as flags on packets etc. I suspect he has no clue what I am
talking about. His position is that the IDS said we were portscanning so
goshdarnit we must be portscanning his machine! I have a feeling that a
lot of these reports come from people in similar positions.

I think it's just lame IDS systems out there (possibly all Netscreen
systems) giving false alarms. We have some webpages with lots of small
graphics. My theory is that the IDS sees a flurry of packets going back to
some system behind his firewall all at different port numbers in a short
amount of time and flags it as a portscan regardless of whether SYN was
set or not.

Anyone else have experience or heard of such false alarms?

It is really annoying getting reports of portscans all the time because if
we do someday get owned and someone scans we might ignore the report.

-- 
Tracy Reed      http://www.ultraviolet.org
"She moves in mysterious ways"

Attachment: _bin
Description: