asked on
Port Scanning Prevention Filter sometimes blocks port 80 Requests (2012 R2)
Ok so in my event log, I sometimes get this error:
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 50.99.999.99
Source Port: 64618
Destination Address: 208.99.9.99
Destination Port: 80
Protocol: 6
Why would my firewall have any instances where it would be blocking port 80, I wondered. This happens seemingly at random. I did a netsh wfp capture start. And found this entry for that IP:
<type>FWPM_NET_EVENT_TYPE_
<classifyDrop>
<filterId>88382</filterId>
I then searched for FilterID 88382 and found it defined as this:
<name>Port Scanning Prevention Filter</name>
<description>This filter prevents port scanning.</description>
When I looked up the Port Scanning Prevention Filter, I learned that it cannot be disabled and its function is that if a port doesn't have an application "listening" on it, then windows firewall will drop the packet regardless. http://superuser.com/questions/362358/how-to-disable-hidden-windows-firewall-filter
Based on this definition, it seems like my IIS web service has brief periods of "not listening" and when a user connects to port 80, IIS isn't listening in that single moment, and the packet gets dropped....could this be happening? That is what it appears like on the surface if I understand all this right.
This raises my concern...why would my firewall sometimes think that port 80 isn't listening? The server is a web server. I'm stumped at where else to go in my diagnostics. I'd like to know why windows filtering is occasionally (and this is only sometimes) dropping port 80 packets. Is there a way I can diagnose IIS to see if it occasionally...even for milisecond periods of time...stops "listening?"
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID: 0
Application Name: -
Network Information:
Direction: Inbound
Source Address: 50.99.999.99
Source Port: 64618
Destination Address: 208.99.9.99
Destination Port: 80
Protocol: 6
Why would my firewall have any instances where it would be blocking port 80, I wondered. This happens seemingly at random. I did a netsh wfp capture start. And found this entry for that IP:
<type>FWPM_NET_EVENT_TYPE_
<classifyDrop>
<filterId>88382</filterId>
I then searched for FilterID 88382 and found it defined as this:
<name>Port Scanning Prevention Filter</name>
<description>This filter prevents port scanning.</description>
When I looked up the Port Scanning Prevention Filter, I learned that it cannot be disabled and its function is that if a port doesn't have an application "listening" on it, then windows firewall will drop the packet regardless. http://superuser.com/questions/362358/how-to-disable-hidden-windows-firewall-filter
Based on this definition, it seems like my IIS web service has brief periods of "not listening" and when a user connects to port 80, IIS isn't listening in that single moment, and the packet gets dropped....could this be happening? That is what it appears like on the surface if I understand all this right.
This raises my concern...why would my firewall sometimes think that port 80 isn't listening? The server is a web server. I'm stumped at where else to go in my diagnostics. I'd like to know why windows filtering is occasionally (and this is only sometimes) dropping port 80 packets. Is there a way I can diagnose IIS to see if it occasionally...even for milisecond periods of time...stops "listening?"
Windows Server 2012Windows NetworkingMicrosoft IIS Web ServerSoftware FirewallsNetwork Analysis
Last Comment
arnold
ASKER
i dont know. how can i find that out? interesting theory, I didn't think to check for something else listening on port 80. is there a command that will show what apps are listening on a port?
ASKER
I'm running IIS
ASKER
i ran a netstat -nao and found port 80 only has entires like this:
TCP 208.99.9.99:80 24.999.99.999:53019 ESTABLISHED 4
TCP 208.99.9.99:80 24.999.99.999:53020 ESTABLISHED 4
TCP 208.99.9.99:80 24.999.99.9997:53021 ESTABLISHED 4
TCP 208.99.9.99:80 46.9.99.999:49244 TIME_WAIT 0
TCP 208.99.9.99:80 46.9.99.999:49629 TIME_WAIT 0
TCP 208.99.9.99:80 46.9.99.999:53065 TIME_WAIT 0
TCP 208.99.9.99:80 24.999.99.999:53019 ESTABLISHED 4
TCP 208.99.9.99:80 24.999.99.999:53020 ESTABLISHED 4
TCP 208.99.9.99:80 24.999.99.9997:53021 ESTABLISHED 4
TCP 208.99.9.99:80 46.9.99.999:49244 TIME_WAIT 0
TCP 208.99.9.99:80 46.9.99.999:49629 TIME_WAIT 0
TCP 208.99.9.99:80 46.9.99.999:53065 TIME_WAIT 0
you should run your server behind a router so it is not directly connected to the internet.
ASKER
it is behind a hardware router, it is not directly connected to the internet. these packets on port 80 are already through the external router (router lets port 80 pass worldwide)
The filter you mention seems to enforce a connection count based restriction that is set too low for your needs.
Based in your netstat output it suggest you are limiting port 80 using this filter to a max of 3 connections from the same source.
Usually, when http requests come they do in two ways one is using a single connection to request the pages and any and all object using multi pipelining. However, more commonly, each object on a page is obtained by a single connection. So if your page has 10 images, and additional files, the same source IP will hit your IIS server at least 10 times within a second.
You likely need to exempt port 80/443 from that filter whose purpose is to detect port scanning meaning the same ip tries to connect to multiple/sequential ports on your system.
Based in your netstat output it suggest you are limiting port 80 using this filter to a max of 3 connections from the same source.
Usually, when http requests come they do in two ways one is using a single connection to request the pages and any and all object using multi pipelining. However, more commonly, each object on a page is obtained by a single connection. So if your page has 10 images, and additional files, the same source IP will hit your IIS server at least 10 times within a second.
You likely need to exempt port 80/443 from that filter whose purpose is to detect port scanning meaning the same ip tries to connect to multiple/sequential ports on your system.
You should be running your server behind a firewall and have a rule which will forward requests for port 80 to an internal IP address.
To find out what is listening on port 80, you could run the following command:
netstat -aon -b
You could also use the PID ID and find the executable from Task Manager as to which directory it resides on.
To find out what is listening on port 80, you could run the following command:
netstat -aon -b
You could also use the PID ID and find the executable from Task Manager as to which directory it resides on.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Are you running Work Folders? and IIS?