Firewall Wizards mailing list archives

Re: Netscreen firewall and portscans?

From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Thu, 7 Feb 2002 15:29:48 -0800

Date: Wed, 06 Feb 2002 11:34:51 -0800
From: "Boni Bruno" <bbruno () dsw net>

Netscreen itself is primarily a firewall with some Firewall Protection
settings and a nice malicious URL detection feature, but in no way is it
an advanced intrusion detection system.  The firewall protection features
are as follows:

Detect SYN Attacks, ICMP Flood, UDP Flood, Ping of Death, WinNuke, 
Detect Port Scan, Land Attack, TearDrop, Source Route Packets, 
Detect Address Sweep Attacks, and IP Spoofing.

The SYN Attacks, ICMP & UDP Flood have configurable threshold which if set
to low can produce false positives.  This may be the problem with the
client trying to contact you.  However, they have to produce a log to
merit any attention....

The Port Scan Detection feature is only triggered if a given source
address attempts quick connections to multiple ports on the destination
network the firewall is protecting.  This is not a common characteristic
for any web server, even if its behind BIGIP.  

I have seen some load balances utilizing virtual IPs trigger SYN
attacks due to not acknowledging SYN packets correctly, but never
triggering a PORT SCAN attack.  I suspect the remote Netscreen firewall
may be complaining about a SYN attack rather than a Port Scan.  Again,
without a log, the end user can not be taken seriously.



Sonicwalls have had a nasty habit of warning on 'syn-floods' during 
certain types of user activity, the most common one seems to be 
accessing a website that has a cache somewhere in the path.  What 
makes it worse is the threshold isn't settable, unless that has 
change in a recent version of firmware.

Sometimes they also report "port scan attempts" when someone 
traceroutes to a host behind the firewall, since typical traceroute 
starts sequencing up through a set of ports starting at around 33434.


Phil




--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Netscreen firewall and portscans?, (continued)
- - Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
  - Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
  - RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
  - Re: Netscreen firewall and portscans? Edward (Feb 06)
    - RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)