Firewall Wizards mailing list archives
Re: Netscreen firewall and portscans?
From: "Philip J. Koenig" <pjklist () ekahuna com>
Date: Thu, 7 Feb 2002 15:29:48 -0800
Date: Wed, 06 Feb 2002 11:34:51 -0800 From: "Boni Bruno" <bbruno () dsw net> Netscreen itself is primarily a firewall with some Firewall Protection settings and a nice malicious URL detection feature, but in no way is it an advanced intrusion detection system. The firewall protection features are as follows: Detect SYN Attacks, ICMP Flood, UDP Flood, Ping of Death, WinNuke, Detect Port Scan, Land Attack, TearDrop, Source Route Packets, Detect Address Sweep Attacks, and IP Spoofing. The SYN Attacks, ICMP & UDP Flood have configurable threshold which if set to low can produce false positives. This may be the problem with the client trying to contact you. However, they have to produce a log to merit any attention.... The Port Scan Detection feature is only triggered if a given source address attempts quick connections to multiple ports on the destination network the firewall is protecting. This is not a common characteristic for any web server, even if its behind BIGIP. I have seen some load balances utilizing virtual IPs trigger SYN attacks due to not acknowledging SYN packets correctly, but never triggering a PORT SCAN attack. I suspect the remote Netscreen firewall may be complaining about a SYN attack rather than a Port Scan. Again, without a log, the end user can not be taken seriously.
Sonicwalls have had a nasty habit of warning on 'syn-floods' during certain types of user activity, the most common one seems to be accessing a website that has a cache somewhere in the path. What makes it worse is the threshold isn't settable, unless that has change in a recent version of firmware. Sometimes they also report "port scan attempts" when someone traceroutes to a host behind the firewall, since typical traceroute starts sequencing up through a set of ports starting at around 33434. Phil -- Philip J. Koenig pjklist () ekahuna com Electric Kahuna Systems -- Computers & Communications for the New Millenium _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Netscreen firewall and portscans?, (continued)
- Re: Netscreen firewall and portscans? Raul Duke (Feb 06)
- Re: Netscreen firewall and portscans? damiank (Feb 06)
- Re: Netscreen firewall and portscans? David Lang (Feb 06)
- Re: Netscreen firewall and portscans? Richard Johnson (Feb 07)
- RE: Netscreen firewall and portscans? Michael Walter (Feb 06)
- RE: Netscreen firewall and portscans? Christopher Lee (Feb 06)
- Re: Netscreen firewall and portscans? TDyson (Feb 06)
- Re: Netscreen firewall and portscans? Boni Bruno (Feb 06)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- RE: Netscreen firewall and portscans? Jason Lewis (Feb 07)
- Re: Netscreen firewall and portscans? Edward (Feb 06)
- Re: Netscreen firewall and portscans? Philip J. Koenig (Feb 07)