bankwest
asked on
Firewall Port Scan
My syslog files are getting larger and looking today I have almost 10,000 entries from one source IP. The messages are all Possible port scan detected, Probable TCP FIN scan detected, Probably Port scan detected. The source IP is 205.247.221.121 that is Sprintlink Global.
What do I need to do? Our firewall is not letting anything thru, but man...are the logs full. Couple of examples are:
id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=177 msg="Probable TCP FIN scan detected" n=124091
src=205.247.221.50:80:X1 dst=65.161.79.114:52654:X1 note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051, 45746, 43456, 54392, 15791, 52654"
id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=82 msg="Possible port scan detected" n=305692
src=205.247.221.50:80:X1 dst=65.161.79.114:45746:X1 note="TCP scanned port list,
7285, 8570, 21522, 46435, 4051"
What do I need to do? Our firewall is not letting anything thru, but man...are the logs full. Couple of examples are:
id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=177 msg="Probable TCP FIN scan detected" n=124091
src=205.247.221.50:80:X1 dst=65.161.79.114:52654:X1
7285, 8570, 21522, 46435, 4051, 45746, 43456, 54392, 15791, 52654"
id=firewall sn=0017C550E8EC time="2013-05-31 16:44:41 UTC" fw=65.161.79.114
pri=1 c=32 m=82 msg="Possible port scan detected" n=305692
src=205.247.221.50:80:X1 dst=65.161.79.114:45746:X1
7285, 8570, 21522, 46435, 4051"
Hi, I am not sure what is your company policy for firewall logs retention. However, you may need to develop clean up routine for your firewall logs.
I would report it to the ISP. You can lookup where that address is physically located using this site: http://www.iplocation.net/index.php
ASKER
Artsec... The log files get archived. The number I mentioned above is just from this morning. I should have stated that.
I am dealing with this kind of stuff daily as I am working in a financial institution. Again, you would need to check your policy to response to this kind of incidents. If the logs got archive then you need to stop the offender IP address by blocking it on edge router. In this way, the offender data packets never reach to your firewall.
ASKER
Since it is Sprinklink (an ISP) what about other IP's that are issued by that ISP? If I block Sprintlink, could I potentially block ones that need to get thru?
I am new to all this.
I am new to all this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If I am not mistaken you mentioned "....Our firewall is not letting anything thru...." then why are you worry to block the IP Address? This particular IP is hitting you and you need to do something. You can do nothing and report the issue to Akamai who is the IP Range owner for further investigation as pony10us suggested.
Here is the IP whois result:
NetRange: 205.247.221.0 - 205.247.221.255
CIDR: 205.247.221.0/24
OriginAS:
NetName: SPRINTLINK
NetHandle: NET-205-247-221-0-1
Parent: NET-205-240-0-0-1
NetType: Reassigned
RegDate: 2009-11-18
Updated: 2009-11-18
Ref: http://whois.arin.net/rest/net/NET-205-247-221-0-1
OrgName: AKAMAI TECHNOLOGIES, INC
OrgId: AKAMA-31
Address: 8 CAMBRIDGE CENTER
City: CAMBRIDGE
StateProv: MA
PostalCode: 02142
Country: US
RegDate: 2009-11-13
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/AKAMA-31
OrgAbuseHandle: DHA389-ARIN
OrgAbuseName: Hassler, David
OrgAbusePhone: +1-617-444-9717
OrgAbuseEmail: dhasslers@akamai.com
OrgAbuseRef: http://whois.arin.net/rest/poc/DHA389-ARIN
OrgTechHandle: DHA389-ARIN
OrgTechName: Hassler, David
OrgTechPhone: +1-617-444-9717
OrgTechEmail: dhasslers@akamai.com
OrgTechRef: http://whois.arin.net/rest/poc/DHA389-ARIN
RTechHandle: DHA389-ARIN
RTechName: Hassler, David
RTechPhone: +1-617-444-9717
RTechEmail: dhasslers@akamai.com
RTechRef: http://whois.arin.net/rest/poc/DHA389-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
Here is the IP whois result:
NetRange: 205.247.221.0 - 205.247.221.255
CIDR: 205.247.221.0/24
OriginAS:
NetName: SPRINTLINK
NetHandle: NET-205-247-221-0-1
Parent: NET-205-240-0-0-1
NetType: Reassigned
RegDate: 2009-11-18
Updated: 2009-11-18
Ref: http://whois.arin.net/rest/net/NET-205-247-221-0-1
OrgName: AKAMAI TECHNOLOGIES, INC
OrgId: AKAMA-31
Address: 8 CAMBRIDGE CENTER
City: CAMBRIDGE
StateProv: MA
PostalCode: 02142
Country: US
RegDate: 2009-11-13
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/AKAMA-31
OrgAbuseHandle: DHA389-ARIN
OrgAbuseName: Hassler, David
OrgAbusePhone: +1-617-444-9717
OrgAbuseEmail: dhasslers@akamai.com
OrgAbuseRef: http://whois.arin.net/rest/poc/DHA389-ARIN
OrgTechHandle: DHA389-ARIN
OrgTechName: Hassler, David
OrgTechPhone: +1-617-444-9717
OrgTechEmail: dhasslers@akamai.com
OrgTechRef: http://whois.arin.net/rest/poc/DHA389-ARIN
RTechHandle: DHA389-ARIN
RTechName: Hassler, David
RTechPhone: +1-617-444-9717
RTechEmail: dhasslers@akamai.com
RTechRef: http://whois.arin.net/rest/poc/DHA389-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
ASKER
I have not contacted them. The email for example for David Hassler is not longer valid. My worry is that Akamai is an ISP for alot of companies and if I block them??? I might prevent access to someone we need??
I checked the IP at http://ip-threat.com and it is not listed with any IP Black list. I have seen some IT security companies using Akamai to host their Vulnerability Scanners. Are you aware of any VA activities against your firewall or IP range?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Planning to block this and see what happens???? Today I am getting a ton of activity from 205.247.221.50 which is in the range for Sprintlink. I am going to block the net range.