[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Probable TCP FIN Scan Dropped keeps showing up in the firewall log

Posted on 2008-01-31
8
Medium Priority
?
8,155 Views
1 Endorsement
Last Modified: 2012-08-13
I keep getting this alert in the firewall log but I know who it is from...

Message                                         From
Probable TCP FIN scan dropped        72.32.49.248, 443, WAN, owa.mailseat.com
The destination is our IP address. 75.145.xx.xx

We just recently switched to Rackspace for our hosted exchange email so I am concerned that if the firewall is dropping this that it is somehow effecting the performance of our email. Should I change anything in my firewall to somehow allow this to go through or should I just ignore it. Our email seems to be working fine but could it work better if the firewall was not dropping whatever this is????

Thanks
Kevin
1
Comment
Question by:ksaker
  • 4
  • 3
8 Comments
 
LVL 16

Expert Comment

by:2PiFL
ID: 20786349
My guess is that your host is making sure the port is open.  I'd give them a call just to be sure.
0
 
LVL 1

Expert Comment

by:neos2k1
ID: 20786408
You should see how regular this scans are, is possible that someone is trying to scan you host for open ports.
 Look into the logs and see if those scans are frequently. I bet every machine in the internet is scanned at least once a day. You can't stop that. But if someone is repeatedly scanning your machine from the same ip address (source) then you may have a problem.
 If the source IP is not consistent then is just a normal scan.
0
 

Author Comment

by:ksaker
ID: 20786427
I already talked to them...here's the response I got.

"Good afternoon Kevin,"

It is possible that the firewall is dropping the connection after a certain amount of time/connections. I would try the support at SONIC FIREWALL for further assistance.

If you have any questions or concerns, please feel free to update this ticket or call us anytime at 1.800.961.4454."
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:ksaker
ID: 20786489
Each time it shows up in the log, the destination IP is the same but the port number is different. And keep in mind, it is Rackspace (our email provider) that is banging on the firewall. Why would the be looking for more open ports? Everything should be going through standard http. In the Outlook profile, everyone is setup to "Connect to my Exchange mailbox using HTTP"...so again, why would they be scanning all the different ports?
0
 
LVL 1

Expert Comment

by:neos2k1
ID: 20788590
How can you tell is Rackspace who's traing to scan your network ? (The IP address is not enough, could be a spoofed IP address)
If that's the case you should contact them and ask for explanations. This is not legitimate traffic.
0
 

Author Comment

by:ksaker
ID: 20788713
I'm pretty sure it is Rackspace. The log looks like it's doing a lookup and showing the name for the IP. It also started right when we switched to them. owa.mailseat.com is Rackspace.

From part of the log
72.32.49.248, 443, WAN, owa.mailseat.com

So should I just send them the log file and say why are you doing this?
0
 
LVL 1

Expert Comment

by:neos2k1
ID: 20795236
drop an email to their tehnical contact and see what he says.

Registrant:
   Rackspace Managed Hosting
   9725 Datapoint Drive
   #100
   San Antonio, Texas 78229
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: MAILSEAT.COM
      Created on: 02-May-06
      Expires on: 02-May-08
      Last Updated on: 02-May-06

   Administrative Contact:
      Master, Host  scruz@rackspace.com
      Rackspace Managed Hosting
      9725 Datapoint Drive
      #100
      San Antonio, Texas 78229
      United States
      (210) 447-4173

   Technical Contact:
      Master, Host  scruz@rackspace.com
      Rackspace Managed Hosting
      9725 Datapoint Drive
      #100
      San Antonio, Texas 78229
      United States
      (210) 447-4173

   Domain servers in listed order:
      NS.RACKSPACE.COM
      NS2.RACKSPACE.COM
0
 

Accepted Solution

by:
ksaker earned 0 total points
ID: 20839678
Well after a lengthy phone conversation with one of the engineers at Rackspace, here's how they wrote the solution summary.

Rackspace said:
2008-02-06 18:17:29 (UTC-5)

Kevin, per our phone conversation, I want to document the response that I got from the Network Security team. According to them the possibilities are:

1. Your Sonicwall firewall has a short timeout set for traffic that originates on your end (NAT using the shared public IP and a random port number). When a response comes back from owa.mailseat.com to the originating random port, occasionally it comes back after Sonicwall expires the connection and incorrectly assumes that the inbound trafic is inbound-originated.

2. The other possibility is Comcast performing TCP reset on the traffic.

In either case, since it happens very infrequently, I would not be concerned with this issue unless your users report connectivity issues and the entries in the logs become much more frequent.

I'm happy with this answer...

0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses
Course of the Month10 days, 23 hours left to enroll

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question