• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Port scans from websites?????

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> Port scans from websites????? Page: [1]
Message << Older Topic   Newer Topic >>
Port scans from websites????? - 19.Apr.2005 2:29:00 PM   


Posts: 17
Joined: 3.Apr.2003
Status: offline
I, by accident, noticed that i was getting an almost continuous port scan on high ports from an IP address external to us on our rear (ISA) firewall.
This was particularly concerning seeing as I have a well respected Cyberguard box fronting our perimeter which I checked the config on which wasn't erroneous. After much mucking around, mirroring ports and using Etherreal I found this site address was actually a website that is being used by our internal call centres and wasn't actually a spoofed address from a host in my DMZ which I was under the impression it might be.

So my question is, why is traffic arriving at my ISA's external interface which isn't either identified as replies from previous requests from internal clients or is using a gradually increasing port range? Basically alerting the port scan feature of ISA into believing it's being attacked?

the website in question is http://www.tfl.gov.uk which resolves to the 'attacking' address in question

Anyone fancy visiting it through their ISA and seeing if it gives you the same odd responses?

I'd be very interested to see what your thoughts are. I can provide logs if neccesary.


Post #: 1
RE: Port scans from websites????? - 20.Apr.2005 12:32:00 PM   


Posts: 37
Joined: 14.Jan.2004
From: London
Status: offline
I have been having a similar issue with various sites visited by my clients. I have made posts here in the past and not had any decent replies.

I would dearly like someone to address this issue so please keep me posted if you make any headway.

(in reply to daxb)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> Port scans from websites????? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts