Solved

Sonicwall Possible port scan dropped

Posted on 2016-08-18
5
57 Views
Last Modified: 2016-10-24
For the past two days I've seen a lot of "Possible port scan dropped" on my logs.
UTC 08/18/2016 20:54:11.720 Possible port scan dropped 52.216.64.59, 443,  TCP scanned port list, 27516, 27517, 27518, 27519, 27520  
UTC 08/18/2016 20:43:21.928 Possible port scan dropped 52.84.125.119, 80,  TCP scanned port list, 24453, 24454, 24452, 24456, 24457  
UTC 08/18/2016 20:42:17.896 Possible port scan dropped 216.115.104.240,  TCP scanned port list, 24375, 24370, 24371, 24372, 24373

Some are from Amazon and others are from Akami.

I'm checking all PC's to see if anyone installed Amazon cloud services and so far found nothing. Should I be concerned?
0
Comment
Question by:IT_Fanatic
  • 3
5 Comments
 
LVL 22

Expert Comment

by:David Atkin
ID: 41761619
It could just be a bot scanning your ISP's subnet for IP's with open ports.  We find that our clients get scanned a fair bit.  Personally, I don't pay much attention to it.  Out passwords etc are changed frequently and the only ports open are HTTPS for Exchange.

Your Sonicwall is doing the right thing by dropping them :)
0
 
LVL 8

Accepted Solution

by:
J Spoor earned 500 total points
ID: 41762015
Possible portscans could mean two things,
1) you are really being port scanned
2) you have a host that's communicating with a server but replies are taking too long, so the hsot will send multiple retries, the then late replies are a bunch of packets on random destination ports and will trigger portscan detection as well.

I would say it is the latter. but the problem is on the other end.

nothing really to be concerned about though



View  example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 

Author Comment

by:IT_Fanatic
ID: 41762741
A lot of the IPs I see are coming from Amazon cloud front. I'm not aware of anyone using any Amazon software and the only devices plugged into my network are the PC's.

No one plugs in anything without authorization and also I disable open ports on the patch panel so even if they plug in its a dead port. How can I find if a user is using an Amazon service on their PC?
0
 

Author Comment

by:IT_Fanatic
ID: 41762815
Ok so I installed TCPView and found that these IPs are coming from dropbox. Did dropbox switch hosting and is now using Amazon?
0
 

Author Closing Comment

by:IT_Fanatic
ID: 41857015
Thank you. I located that the port scans were from dropbox.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question