We help IT Professionals succeed at work.

Port scans on Sonicwall Firewall

alank2
alank2 asked
on
Medium Priority
889 Views
Last Modified: 2013-11-16
We have several Sonicwalls and recently upgraded them to the latest firmware. Soon after the units began receiving a flood of port scans. Discussed with Sonicwall thinking there was a firmware problem, however they state there are no other customers with this problem and it may be a coincidence that the port scans occured around the time of the upgrade.

The situation is that there are many scans on a wide range of ports. Some of the IPs are legitimate web sites, some we cannot trace. I don't know all the applications running here and cannot determine what ports need to be open. Already know about the common ports and what they are used for, also know about the port lists available on the web.

Does anyone have any ideas on what to do about this situation? I was considering creating a rule to block port ranges and go from there.

Thanks
Comment
Watch Question

First of all make sure that port scans really exist by installing some free firewall
or ZoneAlarm in a trial period or so. If that firewall also alerts you about scans,
then you can be sure there's no doubt about port scans.

After you are sure those scans are for real, try to create a list of ips from which
you are being scanned, and post them here.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
If you are using a Sonicwall firewall then it's almost certainly blocking the port scans for you.

However, you are correct to check them out.  Most firewalls get regular port scans from ranges of IP addresses, all mine get between 10 and 100 an hour.

You do not mention the sonicwall firmware version, however, there have been several 'issues' on mis detection on sonicwalls in the past.  Including mis-alerting scans and smurf attacks, however, recently there has been less.

You could place a 'insecure' computer on the public side of the sonicwall and run a packet sniffer like Ethereal.  This will allow you to look at the packet headers to prove the source.

Blocking port ranges is fine, but were do you stop....it's a path I have been down and would not recommend.

If you want to know if the scans are successful, try www.grc.com and run sheilds up.
I also use a sonicwall i noticed that most of my reported port scans were from websites that i have blocked with the content filter and looking at the log by time a port scan would come right after a user had that website blocked if that is the case these are not true port scans but the website was contacted and is trying to finish comunicating with the user but since the sonicwall blocked the website  the sonicwall sees the action as a port scan.
It really sounds like a fault in the firmware....

It only happens after an update?
It only happens on blocked sites?
Only after a block?

Try blocking a ok site that you no works now.  If it says it's scanning, report it to Socinwall.

You can unblock it as soon as it checks out.

Tony
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.