Valid web surfing logged as port scans

Posted on 2003-03-06
Medium Priority
Last Modified: 2010-04-09
I'm running a Zywall 10 to connect a small LAN to the internet.  Often while users are accessing web pages, the firewall thinks we're being port scanned:

109|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03360 dest port:00080  |ports scan      |      
110|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03361 dest port:00080  |ports scan      |      
111|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03362 dest port:00080  |ports scan      |      
112|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03363 dest port:00080  |ports scan      |      

The configuration is to block all incoming traffic by default and to allow all outgoing traffic.  Any ideas as to 1)why our machines are attempting to connect on numerous sequential ports, and 2)how can I tell the firewall to ignore this valid activity without letting actual port scans leak through?
Question by:mcgurj
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8084058
Are users not able to browse at all, or is this just some packets and some sites?
If a user starts downloading a page with multiple grahics for example, each graphic starts a new request/connection. That's why the source ports appear sequential. If the user hit's stop button or changes pages before all the the links download, some of them could be already sent by the server, but the client has broken the request connection so the firewall believes they are an attack, and because of the sequential port numbering, it fits an attack signature.
My best guess, anyway...

Expert Comment

ID: 8086821
I don't know anything specific about Zywall, but what lrmoore has said is correct; the sequential local ports are a normal occurrence.

As for how to put an end to the problem, does Zywall support any "state matching" features, or can you specify TCP flags to check?  It should have some way of realizing that these are not incoming connection attempts but rather replies to outbound connections.
LVL 34

Expert Comment

ID: 8088862
Not sure why the problem occurs. You may contact the manufacturer and check if there is any product specific explanation.



Author Comment

ID: 8089315
Yep, after more analysis I see that this occurs only on media-rich web pages.  The firewall is set by default to block port scans coming in and going out, and it simply assumes that this is a port scan.  For now, I was able to turn off the blocking of all DoS attacks originating from the LAN side.  This fixed it, but am I exposing myself to unnecessary risk?

Expert Comment

ID: 8090704
Well, I'm not sure what that product's marketing may say ;) but the "blocking DoS attacks" feature probably doesn't do much of anything useful anyway.

If this is originating on the LAN side, most likely any user would be able to usurp your resources with or without that feature.  And if that happens, it should be easy enough for you to track him down and use your baseball bat. ;)

Of course alerting is nice to have, but not really essential on your LAN if it's going to cause you false alarms.  If you could narrow down the scope of the trigger, then it may be usable.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses
Course of the Month13 days, 16 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question