Firewall Wizards mailing list archives
RE: Netscreen firewall and portscans?
From: Michael Walter <mwalter () wholehealthnet com>
Date: Wed, 6 Feb 2002 09:25:52 -0500
Hey Tracy, Just a quick note on your message: You seem to make the assumption that SYN scanning is the only method of port scanning. There are actually several methods of doing a port scan without sending syn flags. I'd recommend http://www.insecure.org/nmap/nmap_doc.html for some interesting reading on the subject. Michael J. Walter RHCE, MCDBA, MCSE, CCNA, CCA, A+ Network Administrator Whole Health Management Inc. Phone: 216.921.8601 x49 Mail: 20600 Chagrin Blvd., Suite 1000 Cleveland, OH 44122 -----Original Message----- From: Tracy R Reed [mailto:treed () ultraviolet org] Sent: Tuesday, February 05, 2002 5:51 PM To: firewall-wizards () nfr com Subject: [fw-wiz] Netscreen firewall and portscans? I keep getting emails from people saying we are port scanning their system. Averaging one a day but it varies. We have checked and double checked just to make sure we aren't owned and we definitely are not. The alleged scans are coming from virtual interfaces on our BigIP F5 load balancing systems. The reports are almost always without logs and what logs there are don't provide any info about the packet, whether it was a SYN, what the payload was, etc. Just that it was a TCP packet from our machine to their firewall. I finally replied to one of the reports and asked what software he was using and he said he uses the Netscreen (www.netscreen.com) IDS. I suggested that it wasn't a port scan at all but I couldn't be sure unless I know what flags were on the packets and what the size and payload of the packet was. The user avoided anything to do with the technical aspects of TCP such as flags on packets etc. I suspect he has no clue what I am talking about. His position is that the IDS said we were portscanning so goshdarnit we must be portscanning his machine! I have a feeling that a lot of these reports come from people in similar positions. I think it's just lame IDS systems out there (possibly all Netscreen systems) giving false alarms. We have some webpages with lots of small graphics. My theory is that the IDS sees a flurry of packets going back to some system behind his firewall all at different port numbers in a short amount of time and flags it as a portscan regardless of whether SYN was set or not. Anyone else have experience or heard of such false alarms? It is really annoying getting reports of portscans all the time because if we do someday get owned and someone scans we might ignore the report. -- Tracy Reed http://www.ultraviolet.org "She moves in mysterious ways" _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Netscreen firewall and portscans? Tracy R Reed (Feb 05)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- <Possible follow-ups>
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)