Probable TCP FIN Scan Dropped keeps showing up in the firewall log

I keep getting this alert in the firewall log but I know who it is from...

Message                                         From
Probable TCP FIN scan dropped        72.32.49.248, 443, WAN, owa.mailseat.com
The destination is our IP address. 75.145.xx.xx

We just recently switched to Rackspace for our hosted exchange email so I am concerned that if the firewall is dropping this that it is somehow effecting the performance of our email. Should I change anything in my firewall to somehow allow this to go through or should I just ignore it. Our email seems to be working fine but could it work better if the firewall was not dropping whatever this is????

Thanks
Kevin
ksakerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

2PiFLCommented:
My guess is that your host is making sure the port is open.  I'd give them a call just to be sure.
0
neos2k1Commented:
You should see how regular this scans are, is possible that someone is trying to scan you host for open ports.
 Look into the logs and see if those scans are frequently. I bet every machine in the internet is scanned at least once a day. You can't stop that. But if someone is repeatedly scanning your machine from the same ip address (source) then you may have a problem.
 If the source IP is not consistent then is just a normal scan.
0
ksakerAuthor Commented:
I already talked to them...here's the response I got.

"Good afternoon Kevin,"

It is possible that the firewall is dropping the connection after a certain amount of time/connections. I would try the support at SONIC FIREWALL for further assistance.

If you have any questions or concerns, please feel free to update this ticket or call us anytime at 1.800.961.4454."
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

ksakerAuthor Commented:
Each time it shows up in the log, the destination IP is the same but the port number is different. And keep in mind, it is Rackspace (our email provider) that is banging on the firewall. Why would the be looking for more open ports? Everything should be going through standard http. In the Outlook profile, everyone is setup to "Connect to my Exchange mailbox using HTTP"...so again, why would they be scanning all the different ports?
0
neos2k1Commented:
How can you tell is Rackspace who's traing to scan your network ? (The IP address is not enough, could be a spoofed IP address)
If that's the case you should contact them and ask for explanations. This is not legitimate traffic.
0
ksakerAuthor Commented:
I'm pretty sure it is Rackspace. The log looks like it's doing a lookup and showing the name for the IP. It also started right when we switched to them. owa.mailseat.com is Rackspace.

From part of the log
72.32.49.248, 443, WAN, owa.mailseat.com

So should I just send them the log file and say why are you doing this?
0
neos2k1Commented:
drop an email to their tehnical contact and see what he says.

Registrant:
   Rackspace Managed Hosting
   9725 Datapoint Drive
   #100
   San Antonio, Texas 78229
   United States

   Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
   Domain Name: MAILSEAT.COM
      Created on: 02-May-06
      Expires on: 02-May-08
      Last Updated on: 02-May-06

   Administrative Contact:
      Master, Host  scruz@rackspace.com
      Rackspace Managed Hosting
      9725 Datapoint Drive
      #100
      San Antonio, Texas 78229
      United States
      (210) 447-4173

   Technical Contact:
      Master, Host  scruz@rackspace.com
      Rackspace Managed Hosting
      9725 Datapoint Drive
      #100
      San Antonio, Texas 78229
      United States
      (210) 447-4173

   Domain servers in listed order:
      NS.RACKSPACE.COM
      NS2.RACKSPACE.COM
0
ksakerAuthor Commented:
Well after a lengthy phone conversation with one of the engineers at Rackspace, here's how they wrote the solution summary.

Rackspace said:
2008-02-06 18:17:29 (UTC-5)

Kevin, per our phone conversation, I want to document the response that I got from the Network Security team. According to them the possibilities are:

1. Your Sonicwall firewall has a short timeout set for traffic that originates on your end (NAT using the shared public IP and a random port number). When a response comes back from owa.mailseat.com to the originating random port, occasionally it comes back after Sonicwall expires the connection and incorrectly assumes that the inbound trafic is inbound-originated.

2. The other possibility is Comcast performing TCP reset on the traffic.

In either case, since it happens very infrequently, I would not be concerned with this issue unless your users report connectivity issues and the entries in the logs become much more frequent.

I'm happy with this answer...

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.