Solved

Sonicwall Possible port scan dropped

Posted on 2016-08-18
5
32 Views
Last Modified: 2016-10-24
For the past two days I've seen a lot of "Possible port scan dropped" on my logs.
UTC 08/18/2016 20:54:11.720 Possible port scan dropped 52.216.64.59, 443,  TCP scanned port list, 27516, 27517, 27518, 27519, 27520  
UTC 08/18/2016 20:43:21.928 Possible port scan dropped 52.84.125.119, 80,  TCP scanned port list, 24453, 24454, 24452, 24456, 24457  
UTC 08/18/2016 20:42:17.896 Possible port scan dropped 216.115.104.240,  TCP scanned port list, 24375, 24370, 24371, 24372, 24373

Some are from Amazon and others are from Akami.

I'm checking all PC's to see if anyone installed Amazon cloud services and so far found nothing. Should I be concerned?
0
Comment
Question by:IT_Fanatic
  • 3
5 Comments
 
LVL 22

Expert Comment

by:David Atkin
ID: 41761619
It could just be a bot scanning your ISP's subnet for IP's with open ports.  We find that our clients get scanned a fair bit.  Personally, I don't pay much attention to it.  Out passwords etc are changed frequently and the only ports open are HTTPS for Exchange.

Your Sonicwall is doing the right thing by dropping them :)
0
 
LVL 5

Accepted Solution

by:
J Spoor earned 500 total points
ID: 41762015
Possible portscans could mean two things,
1) you are really being port scanned
2) you have a host that's communicating with a server but replies are taking too long, so the hsot will send multiple retries, the then late replies are a bunch of packets on random destination ports and will trigger portscan detection as well.

I would say it is the latter. but the problem is on the other end.

nothing really to be concerned about though



View  example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com
0
 

Author Comment

by:IT_Fanatic
ID: 41762741
A lot of the IPs I see are coming from Amazon cloud front. I'm not aware of anyone using any Amazon software and the only devices plugged into my network are the PC's.

No one plugs in anything without authorization and also I disable open ports on the patch panel so even if they plug in its a dead port. How can I find if a user is using an Amazon service on their PC?
0
 

Author Comment

by:IT_Fanatic
ID: 41762815
Ok so I installed TCPView and found that these IPs are coming from dropbox. Did dropbox switch hosting and is now using Amazon?
0
 

Author Closing Comment

by:IT_Fanatic
ID: 41857015
Thank you. I located that the port scans were from dropbox.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now