Firewall Wizards mailing list archives
Erroneous FIN scans
From: "Nathan" <nathan.grandbois () cerdant com>
Date: Fri, 28 Feb 2003 14:40:15 -0500
My Sonicwall Pro200 firewall is logging these entries as FIN scans, however I do not believe this to be the case. The source addresses on these entries are all owned by AOL, so I do believe that this is a streaming media connection because these are "spinner" sites. The destination address is that of the firewall (obviously changed for obvious reasons). Here is an excerpt from Sonicwall's tech support: "It is possible that someone is scanning your IP address(es) with FIN packets looking for holes. The SonicWall is blocking these scans from getting to your servers. It is highly recommended that you contact your ISP to see if they can help you determine if this is indeed happening and hopefully put a stop to it. Also, there is a known issue that can cause the SonicWall to erroneously log FIN scans. Basically if multiple FIN packets are sent over a connection between a client and server the SonicWall might log a FIN scan. We're currently working on making the SonicWall less sensitive to this so as not to log false positives." 02/25/2003 10:57:35.304 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 47510, WAN - - 02/25/2003 10:59:35.288 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 47510, WAN - - 02/25/2003 11:00:58.720 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 45844, WAN - - 02/25/2003 11:02:52.496 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 47694, WAN - - 02/25/2003 11:03:35.304 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 47510, WAN - - 02/25/2003 11:04:58.720 - Probable TCP FIN scan - Source:205.188.228.65, 554, WAN - Destination:65.x.x.x, 45844, WAN - - 02/25/2003 11:27:58.336 - Probable TCP FIN scan - Source:205.188.228.1, 554, WAN - Destination:65.x.x.x, 54296, WAN - - 02/25/2003 11:29:18.816 - Probable TCP FIN scan - Source:205.188.228.1, 554, WAN - Destination:65.x.x.x, 55334, WAN - - 02/25/2003 11:33:40.832 - Probable TCP FIN scan - Source:205.188.228.1, 554, WAN - Destination:65.x.x.x, 56792, WAN - - 02/25/2003 11:34:52.048 - Probable TCP FIN scan - Source:205.188.228.1, 554, WAN - Destination:65.x.x.x, 54786, WAN - - 02/25/2003 11:36:52.048 - Probable TCP FIN scan - Source:205.188.228.1, 554, WAN - Destination:65.x.x.x, 54786, WAN - - My question is during a quicktime session why would multiple FIN packets be sent back to the firewall. Is it due to the fact that the quicktime player may still be connected to the site and has finished the transfer of data, the data is sitting in the buffer, but since the movie/song isn't done playing the player tries to keep the connection open but the source site thinks it is done so it keeps sending FIN packets? Nathan Grandbois Cerdant, Inc. This message may contain confidential material and is intended only for the person or entity to which it is addressed. Any review, retransmission, dissemination or other use of, or taking of any action by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please delete the information from your system and contact the sender. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Erroneous FIN scans Nathan (Feb 28)