Solved

Firewall Port Scan

Posted on 2013-05-31
11
937 Views
Last Modified: 2013-08-23
My syslog files are getting larger and looking today I have almost 10,000 entries from one source IP.   The messages are all Possible port scan detected, Probable TCP FIN scan detected, Probably Port scan detected.    The source IP is 205.247.221.121 that is Sprintlink Global.

What do I need to do?    Our firewall is not letting anything thru, but man...are the logs full.   Couple of examples are:

id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=177 msg="Probable TCP FIN scan detected" n=124091
src=205.247.221.50:80:X1 dst=65.161.79.114:52654:X1 note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051, 45746, 43456, 54392, 15791, 52654"

id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=82 msg="Possible port scan detected" n=305692
src=205.247.221.50:80:X1 dst=65.161.79.114:45746:X1 note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051"
0
Comment
Question by:bankwest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 4

Expert Comment

by:artsec
ID: 39211976
Hi, I am not sure what is your company policy for firewall logs retention. However, you may need to develop clean up routine for your firewall logs.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39211983
I would report it to the ISP.  You can lookup where that address is physically located using this site:  http://www.iplocation.net/index.php
0
 

Author Comment

by:bankwest
ID: 39211988
Artsec...    The log files get archived.  The number I mentioned above is just from this morning.   I should have stated that.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 4

Expert Comment

by:artsec
ID: 39212007
I am dealing with this kind of stuff daily as I am working in a financial institution. Again, you would need to check your policy to response to this kind of incidents. If the logs got archive then you need to stop the offender IP address by blocking it on edge router. In this way, the offender data packets never reach to your firewall.
0
 

Author Comment

by:bankwest
ID: 39212038
Since it is Sprinklink (an ISP) what about other IP's that are issued by that ISP?  If I block Sprintlink, could I potentially block ones that need to get thru?

I am new to all this.
0
 
LVL 26

Assisted Solution

by:pony10us
pony10us earned 250 total points
ID: 39212047
Actually if you use the site that I provided you would see that address (the actual one in the log) is coming from Akamai in Mass.  I would start by contacting them to report abuse.

I was just looking at their FAQ's and came across this:


Our firewall has detected that Akamai-controlled IP addresses are attempting to access our IP address via a number of different ports. This seems to be an attack. What is going on?




The messages you see indicate that users behind your firewall are running the Akamai NetSession Interface. The Akamai NetSession Interface is a download manager client that is used on behalf of an Akamai customer to download software or other digital content. The Akamai NetSession Interface uses both TCP and UDP based protocols to download content and facilitate connectivity through network devices such as proxies, firewalls & NAT (network address translation) devices.


http://www.akamai.com/html/support/faq.html
0
 
LVL 4

Expert Comment

by:artsec
ID: 39212090
If I am not mistaken you mentioned "....Our firewall is not letting anything thru...." then why are you worry to block the IP Address? This particular IP is hitting you and you need to do something. You can do nothing and report the issue to Akamai who is the IP Range owner for further investigation as pony10us suggested.

Here is the IP whois result:


NetRange:       205.247.221.0 - 205.247.221.255
CIDR:           205.247.221.0/24
OriginAS:      
NetName:        SPRINTLINK
NetHandle:      NET-205-247-221-0-1
Parent:         NET-205-240-0-0-1
NetType:        Reassigned
RegDate:        2009-11-18
Updated:        2009-11-18
Ref:            http://whois.arin.net/rest/net/NET-205-247-221-0-1

OrgName:        AKAMAI TECHNOLOGIES, INC
OrgId:          AKAMA-31
Address:        8 CAMBRIDGE CENTER
City:           CAMBRIDGE
StateProv:      MA
PostalCode:     02142
Country:        US
RegDate:        2009-11-13
Updated:        2011-09-24
Ref:            http://whois.arin.net/rest/org/AKAMA-31

OrgAbuseHandle: DHA389-ARIN
OrgAbuseName:   Hassler, David
OrgAbusePhone:  +1-617-444-9717
OrgAbuseEmail:  dhasslers@akamai.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/DHA389-ARIN

OrgTechHandle: DHA389-ARIN
OrgTechName:   Hassler, David
OrgTechPhone:  +1-617-444-9717
OrgTechEmail:  dhasslers@akamai.com
OrgTechRef:    http://whois.arin.net/rest/poc/DHA389-ARIN

RTechHandle: DHA389-ARIN
RTechName:   Hassler, David
RTechPhone:  +1-617-444-9717
RTechEmail:  dhasslers@akamai.com
RTechRef:    http://whois.arin.net/rest/poc/DHA389-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
0
 

Author Comment

by:bankwest
ID: 39212096
I have not contacted them.   The email for example for David Hassler is not longer valid.   My worry is that Akamai is an ISP for alot of companies and if I block them???   I might prevent access to someone we need??
0
 
LVL 4

Expert Comment

by:artsec
ID: 39212098
I checked the IP at http://ip-threat.com and it is not listed with any IP Black list. I have seen some IT security companies using Akamai to host their Vulnerability Scanners. Are you aware of any VA activities against your firewall or IP range?
0
 
LVL 4

Accepted Solution

by:
artsec earned 250 total points
ID: 39212102
You can block the IP address and check with your customer service to see if there is any business impact. Further, you may block the IP Address for short period to stop the offender and then remove the IP block list.
0
 

Author Comment

by:bankwest
ID: 39216867
Planning to block this and see what happens????    Today I am getting a ton of activity from 205.247.221.50 which is in the range for Sprintlink.   I am going to block the net range.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question