Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Valid web surfing logged as port scans

Posted on 2003-03-06
Medium Priority
Last Modified: 2010-04-09
I'm running a Zywall 10 to connect a small LAN to the internet.  Often while users are accessing web pages, the firewall thinks we're being port scanned:

109|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03360 dest port:00080  |ports scan      |      
110|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03361 dest port:00080  |ports scan      |      
111|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03362 dest port:00080  |ports scan      |      
112|Mar  5 03 |From:    To:   |attack          |block  
   | 18:44:18 |TCP     src port:03363 dest port:00080  |ports scan      |      

The configuration is to block all incoming traffic by default and to allow all outgoing traffic.  Any ideas as to 1)why our machines are attempting to connect on numerous sequential ports, and 2)how can I tell the firewall to ignore this valid activity without letting actual port scans leak through?
Question by:mcgurj
LVL 79

Accepted Solution

lrmoore earned 200 total points
ID: 8084058
Are users not able to browse at all, or is this just some packets and some sites?
If a user starts downloading a page with multiple grahics for example, each graphic starts a new request/connection. That's why the source ports appear sequential. If the user hit's stop button or changes pages before all the the links download, some of them could be already sent by the server, but the client has broken the request connection so the firewall believes they are an attack, and because of the sequential port numbering, it fits an attack signature.
My best guess, anyway...

Expert Comment

ID: 8086821
I don't know anything specific about Zywall, but what lrmoore has said is correct; the sequential local ports are a normal occurrence.

As for how to put an end to the problem, does Zywall support any "state matching" features, or can you specify TCP flags to check?  It should have some way of realizing that these are not incoming connection attempts but rather replies to outbound connections.
LVL 34

Expert Comment

ID: 8088862
Not sure why the problem occurs. You may contact the manufacturer and check if there is any product specific explanation.



Author Comment

ID: 8089315
Yep, after more analysis I see that this occurs only on media-rich web pages.  The firewall is set by default to block port scans coming in and going out, and it simply assumes that this is a port scan.  For now, I was able to turn off the blocking of all DoS attacks originating from the LAN side.  This fixed it, but am I exposing myself to unnecessary risk?

Expert Comment

ID: 8090704
Well, I'm not sure what that product's marketing may say ;) but the "blocking DoS attacks" feature probably doesn't do much of anything useful anyway.

If this is originating on the LAN side, most likely any user would be able to usurp your resources with or without that feature.  And if that happens, it should be easy enough for you to track him down and use your baseball bat. ;)

Of course alerting is nice to have, but not really essential on your LAN if it's going to cause you false alarms.  If you could narrow down the scope of the trigger, then it may be usable.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question