Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 5244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscan attack

rezalzakaria
dear friends,
my firewall is being bombarded by portscan. I have enable portscan detection an put in to 'drop'. but i keep receiving messege from firewall saying there is still portscan and after cheaking theip address of portscan source, it is from DNS servers. please help me cause my e-mail is full with this portscan messege.
best regards


This thread was automatically locked due to age.
Parents
  • 0
    ok, in first step i suggest you disable portscan detection and rather follow packet filter log. maybe there you also get information what exactly is droped (source and destination ports). it could also help if you would post a piece of this logfile here. without more information i guess it will be hard to really help you.
  • 0 in reply to ref
    the sample of the portscan log file. please help!

    2004-Apr 20 00:07:15 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=161.142.2.17 DST=192.168.9.21 LEN=160 TOS=0x00 PREC=0x00 TTL=40 ID=3709 PROTO=UDP SPT=53 DPT=3663 LEN=140
    2004-Apr 20 00:07:16 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=161.142.2.17 DST=192.168.9.21 LEN=372 TOS=0x00 PREC=0x00 TTL=40 ID=4107 PROTO=UDP SPT=53 DPT=3664 LEN=352
    2004-Apr 20 00:07:18 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=161.142.2.17 DST=192.168.9.21 LEN=160 TOS=0x00 PREC=0x00 TTL=40 ID=4719 PROTO=UDP SPT=53 DPT=3671 LEN=140
    2004-Apr 20 00:07:19 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=202.99.8.1 DST=192.168.9.21 LEN=145 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=3671 LEN=125
    2004-Apr 20 00:07:21 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=202.99.8.1 DST=192.168.9.21 LEN=328 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=3672 LEN=308
    2004-Apr 20 00:07:48 (none) kernel: Portscan detected: IN=eth1 OUT=eth0 SRC=202.99.8.1 DST=192.168.9.21 LEN=360 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=53 DPT=3738 LEN=340
  • 0 in reply to rezalzakaria
    for me this looks like dns replies for your internal host 192.168.9.21. since portscan detection filters these i guess its a bug in this module. i for myselfe deactivated portscan detection, because i also had the feeling that it is not working properly and packets from outside are anyways droped. i had no special interest in those who try a portscan, because any kiddy is trying it.
  • 0 in reply to ref
    Thanks ref. I will discuss this option with the boss. thanks again.
Reply Children
No Data