Erroneous FIN scans

["Nathan" <nathan.grandbois () cerdant com>]

My Sonicwall Pro200 firewall is logging these entries as FIN scans, however
I do not believe this to be the case. The source addresses on these entries
are all owned by AOL, so I do believe that this is a streaming media
connection because these are "spinner" sites. The destination address is
that of the firewall (obviously changed for obvious reasons). Here is an
excerpt from Sonicwall's tech support:

 "It is possible that someone is scanning your IP address(es) with FIN
packets looking for holes. The SonicWall is blocking these scans from
getting to your servers. It is highly recommended that you contact your ISP
to see if they can help you determine if this is indeed happening and
hopefully put a stop to it.
Also, there is a known issue that can cause the SonicWall to erroneously log
FIN scans. Basically if multiple FIN packets are sent over a connection
between a client and server the SonicWall might log a FIN scan. We're
currently working on making the SonicWall less sensitive to this so as not
to log false positives."

02/25/2003 10:57:35.304 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 47510, WAN - -
02/25/2003 10:59:35.288 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 47510, WAN - -
02/25/2003 11:00:58.720 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 45844, WAN - -
02/25/2003 11:02:52.496 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 47694, WAN - -
02/25/2003 11:03:35.304 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 47510, WAN - -
02/25/2003 11:04:58.720 - Probable TCP FIN scan - Source:205.188.228.65,
554, WAN - Destination:65.x.x.x, 45844, WAN - -
02/25/2003 11:27:58.336 - Probable TCP FIN scan - Source:205.188.228.1, 554,
WAN - Destination:65.x.x.x, 54296, WAN - -
02/25/2003 11:29:18.816 - Probable TCP FIN scan - Source:205.188.228.1, 554,
WAN - Destination:65.x.x.x, 55334, WAN - -
02/25/2003 11:33:40.832 - Probable TCP FIN scan - Source:205.188.228.1, 554,
WAN - Destination:65.x.x.x, 56792, WAN - -
02/25/2003 11:34:52.048 - Probable TCP FIN scan - Source:205.188.228.1, 554,
WAN - Destination:65.x.x.x, 54786, WAN - -
02/25/2003 11:36:52.048 - Probable TCP FIN scan - Source:205.188.228.1, 554,
WAN - Destination:65.x.x.x, 54786, WAN - -

My question is during a quicktime session why would multiple FIN packets be
sent back to the firewall. Is it due to the fact that the quicktime player
may still be connected to the site and has finished the transfer of data,
the data is sitting in the buffer, but since the movie/song isn't done
playing the player tries to keep the connection open but the source site
thinks it is done so it keeps sending FIN packets?

Nathan Grandbois
Cerdant, Inc.
This message may contain confidential material and is intended only for the
person or entity to
which it is addressed.  Any review, retransmission, dissemination or other
use of, or taking of any
action by persons or entities other than the intended recipient is
prohibited.  If you are not the
intended recipient, please delete the information from your system and
contact the sender.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards