Can an intruder penetrate my firewall?
Posted on 2008-10-28
Our firewall has several log entries similar to this::
Possible port scan dropped
Source:220.127.116.11, 80, WAN
Destination:18.104.22.168, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176
The IT manager at that office has interpreted these to mean the following:
" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."
Is his assessment correct? Does this mean a hacker is trying to get in? Will the firewall stop them? If not, how do we protect ourselves?