Date: Tue, 18 Jul 2006 14:48:15 -0400 From: Mike Andrews <mandrews@bit0.com> To: Clemens Renner <claim@rinux.net> Cc: freebsd-security@freebsd.org Subject: Re: Port scan from Apache? Message-ID: <44BD2CEF.4050504@bit0.com> In-Reply-To: <44BD0846.6060405@rinux.net> References: <44BD0846.6060405@rinux.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Clemens Renner wrote: > Hi everyone, > > today I got an e-mail from a company claiming that my server is doing > port scans on their firewall machine. I found that hard to believe so I > started checking the box. > > The company rep told me that the scan was originating at port 80 with > destination port 8254 on their machine. I couldn't find any hints as to > why that computer was subject to the alleged port scans. Searching in > logs and crontab entries did not reveal the domain name or IP address of > the machine except for my web mailer. It seems that someone from the > company's network is accessing the web mailer in 10-15 minute intervals > which is absolutely believable since one of my users works for the > company and checks his mail via the web mailer. The strange part is that > the company rep said these scans started some time on Sunday, while my > user definitely was not using the company's hardware. > > Apparently, the company uses NetScreen hardware and/or software for such > intrusion detection / prevention mechanisms and the log he provided read: Almost definitely a false alarm. Firewalls (not just Netscreen) keep track of active TCP connections passing through them. If they stay idle for too long, the firewall assumes the other end died and drops it from its tracking table. Someone behind their firewall viewed your website. If you have, say, 6 images on it, then 7 connections get maintained in the firewall's state table, probably from sequential source port numbers. If you have Apache's keepalives on, then those 7 HTTP connections get held open for a while in case they request more pages/images from you. The problem is when Apache's keepalive interval is longer than the firewall's idle connection retention interval. If the firewall is configured to forget about idle connections after 5 minutes and Apache's keeping connections alive for 8 minutes, then two minutes after the firewall forgets about it, it will log Apache's attempt to close the connection as a FIN scan from 7 different ports. Find out what that TCP interval is on their Netscreen and adjust your Apache keepalive to be less than that. I think we went all the way down to 2 minutes before the dumber firewall admins stopped emailing us. This isn't limited to Netscreen either... Sonicwalls were overly sensitive to this a while back but I think they put out a firmware update to shut up some of the false alarms. PIX firewalls tend to have longer defaults so you don't run into that as much. If you're an ISP, every now and then you'll get similar complaints from your customers complaining that your nameserver is attacking them. Same story -- a slow DNS lookup that takes longer than their firewall is willing to wait on a UDP response, and they assume that every single thing a firewall logs is from an OMG WTF DDOS script kiddie... :) -- Mike Andrews * mandrews@bit0.com * http://www.bit0.com It's not news, it's Fark.com. Carpe cavy!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44BD2CEF.4050504>