Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: Edward <edward () west net>
Date: Wed, 6 Feb 2002 15:26:36 -0800 (PST)
On Wed, 6 Feb 2002, Boni Bruno wrote:
Netscreen itself is primarily a firewall with some Firewall Protection settings and a nice malicious URL detection feature, but in no way is it an advanced intrusion detection system. The firewall protection features are as follows: Detect SYN Attacks, ICMP Flood, UDP Flood, Ping of Death, WinNuke, Detect Port Scan, Land Attack, TearDrop, Source Route Packets, Detect Address Sweep Attacks, and IP Spoofing. The SYN Attacks, ICMP & UDP Flood have configurable threshold which if set to low can produce false positives. This may be the problem with the client trying to contact you. However, they have to produce a log to merit any attention.... The Port Scan Detection feature is only triggered if a given source address attempts quick connections to multiple ports on the destination network the firewall is protecting. This is not a common characteristic for any web server, even if its behind BIGIP.
I have :) We're running two BigIP's and I occasionally get complaints from customers regarding port scans with a source port of 80 and the source IP of our BigIP's VIP. We're using 3.3.1PTF-02 Build2. Some of our application uses http redirects along with Mirror Image for CDN services. Every now and then I get a complaint from a customer with a Netscreen appliance. After extremely thorough research and a few calls to F5 I've written this off as a bug in the Netscreen's code. - Edward (Tell Marco & Louis I said hi :)
I have seen some load balances utilizing virtual IPs trigger SYN attacks due to not acknowledging SYN packets correctly, but never triggering a PORT SCAN attack. I suspect the remote Netscreen firewall may be complaining about a SYN attack rather than a Port Scan. Again, without a log, the end user can not be taken seriously. Regards, -boni bruno
[snip] _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Netscreen firewall and portscans?, (continued)
- Re: Netscreen firewall and portscans? R. DuFresne (Feb 06)
- Re: Netscreen firewall and portscans? Pierre-Yves Bonnetain (Feb 06)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)