Port scans from websites????? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting



Message


daxb -> Port scans from websites????? (19.Apr.2005 2:29:00 PM)

I, by accident, noticed that i was getting an almost continuous port scan on high ports from an IP address external to us on our rear (ISA) firewall.
This was particularly concerning seeing as I have a well respected Cyberguard box fronting our perimeter which I checked the config on which wasn't erroneous. After much mucking around, mirroring ports and using Etherreal I found this site address was actually a website that is being used by our internal call centres and wasn't actually a spoofed address from a host in my DMZ which I was under the impression it might be.

So my question is, why is traffic arriving at my ISA's external interface which isn't either identified as replies from previous requests from internal clients or is using a gradually increasing port range? Basically alerting the port scan feature of ISA into believing it's being attacked?

the website in question is http://www.tfl.gov.uk which resolves to the 'attacking' address in question 217.28.130.140

Anyone fancy visiting it through their ISA and seeing if it gives you the same odd responses?

I'd be very interested to see what your thoughts are. I can provide logs if neccesary.

Cheers

Paul.




duffo -> RE: Port scans from websites????? (20.Apr.2005 12:32:00 PM)

I have been having a similar issue with various sites visited by my clients. I have made posts here in the past and not had any decent replies.

I would dearly like someone to address this issue so please keep me posted if you make any headway.




Page: [1]