Firewall Port Scan

Posted on 2013-05-31
Last Modified: 2013-08-23
My syslog files are getting larger and looking today I have almost 10,000 entries from one source IP.   The messages are all Possible port scan detected, Probable TCP FIN scan detected, Probably Port scan detected.    The source IP is that is Sprintlink Global.

What do I need to do?    Our firewall is not letting anything thru, but man...are the logs full.   Couple of examples are:

id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=
pri=1 c=32 m=177 msg="Probable TCP FIN scan detected" n=124091
src= dst= note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051, 45746, 43456, 54392, 15791, 52654"

id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=
pri=1 c=32 m=82 msg="Possible port scan detected" n=305692
src= dst= note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051"
Question by:bankwest
  • 5
  • 4
  • 2

Expert Comment

ID: 39211976
Hi, I am not sure what is your company policy for firewall logs retention. However, you may need to develop clean up routine for your firewall logs.
LVL 26

Expert Comment

ID: 39211983
I would report it to the ISP.  You can lookup where that address is physically located using this site:

Author Comment

ID: 39211988
Artsec...    The log files get archived.  The number I mentioned above is just from this morning.   I should have stated that.

Expert Comment

ID: 39212007
I am dealing with this kind of stuff daily as I am working in a financial institution. Again, you would need to check your policy to response to this kind of incidents. If the logs got archive then you need to stop the offender IP address by blocking it on edge router. In this way, the offender data packets never reach to your firewall.

Author Comment

ID: 39212038
Since it is Sprinklink (an ISP) what about other IP's that are issued by that ISP?  If I block Sprintlink, could I potentially block ones that need to get thru?

I am new to all this.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 26

Assisted Solution

pony10us earned 250 total points
ID: 39212047
Actually if you use the site that I provided you would see that address (the actual one in the log) is coming from Akamai in Mass.  I would start by contacting them to report abuse.

I was just looking at their FAQ's and came across this:

Our firewall has detected that Akamai-controlled IP addresses are attempting to access our IP address via a number of different ports. This seems to be an attack. What is going on?

The messages you see indicate that users behind your firewall are running the Akamai NetSession Interface. The Akamai NetSession Interface is a download manager client that is used on behalf of an Akamai customer to download software or other digital content. The Akamai NetSession Interface uses both TCP and UDP based protocols to download content and facilitate connectivity through network devices such as proxies, firewalls & NAT (network address translation) devices.

Expert Comment

ID: 39212090
If I am not mistaken you mentioned "....Our firewall is not letting anything thru...." then why are you worry to block the IP Address? This particular IP is hitting you and you need to do something. You can do nothing and report the issue to Akamai who is the IP Range owner for further investigation as pony10us suggested.

Here is the IP whois result:

NetRange: -
NetName:        SPRINTLINK
NetHandle:      NET-205-247-221-0-1
Parent:         NET-205-240-0-0-1
NetType:        Reassigned
RegDate:        2009-11-18
Updated:        2009-11-18

OrgId:          AKAMA-31
Address:        8 CAMBRIDGE CENTER
City:           CAMBRIDGE
StateProv:      MA
PostalCode:     02142
Country:        US
RegDate:        2009-11-13
Updated:        2011-09-24

OrgAbuseHandle: DHA389-ARIN
OrgAbuseName:   Hassler, David
OrgAbusePhone:  +1-617-444-9717

OrgTechHandle: DHA389-ARIN
OrgTechName:   Hassler, David
OrgTechPhone:  +1-617-444-9717

RTechHandle: DHA389-ARIN
RTechName:   Hassler, David
RTechPhone:  +1-617-444-9717

# ARIN WHOIS data and services are subject to the Terms of Use
# available at:

Author Comment

ID: 39212096
I have not contacted them.   The email for example for David Hassler is not longer valid.   My worry is that Akamai is an ISP for alot of companies and if I block them???   I might prevent access to someone we need??

Expert Comment

ID: 39212098
I checked the IP at and it is not listed with any IP Black list. I have seen some IT security companies using Akamai to host their Vulnerability Scanners. Are you aware of any VA activities against your firewall or IP range?

Accepted Solution

artsec earned 250 total points
ID: 39212102
You can block the IP address and check with your customer service to see if there is any business impact. Further, you may block the IP Address for short period to stop the offender and then remove the IP block list.

Author Comment

ID: 39216867
Planning to block this and see what happens????    Today I am getting a ton of activity from which is in the range for Sprintlink.   I am going to block the net range.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Opening Port 80 10 64
VPN client software 7 43
Probable TCP NULL scan detected 10 229
suspending the anti virus 6 112
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now