Re: Port Scan Attack (is it really?)

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sat, 26 Oct 2002 07:17:29 -0700

MessageYou'll notice that all of the blocked packets were trying to use NetBIOS 
ports (137, 139).
Unless you're publishing an RPC server, you want this stuff blocked.
The ones where your ISA is making a call to another host using TCP-137 is where 
the ISA couldn't resolve the IP to a name using DNS and fell back to NetBIOS 
queries.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

  ----- Original Message ----- 
  From: g.sartzetakis@xxxxxxxxxxxxx 
  To: [ISAserver.org Discussion List] 
  Sent: Friday, October 25, 2002 12:35 AM
  Subject: [isalist] Port Scan Attack (is it really?)


  http://www.ISAserver.org



  Hello all,

  my IP Packet filter logs are being filled up with records of the kind ..

  2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.52.1 Tcp 139 1921 ACK  BLOCKED ...
  2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.110.1 Tcp 139 1922 ACK  BLOCKED 
...
  2002-10-25 07:06:12 xxx.xxx.xxx.xxx AAA..AAA..AAA.AAA Udp 1027 137 - BLOCKED 
...
  2002-10-25 07:06:13 xxx.xxx.xxx.xxx BBB.BBB.BBB.BBB Udp 1027 137 - BLOCKED ...

  where AAA.AAA.AAA.AAA and BBB.BBB.BBB.BBB are the IP's of ISA on the external 
interface and xxx.xxx.xxx.xxx various IP's from the outside world
  Also, the internal IP's shown above do not exist in my organization nor are 
part of the ISA LAT conffiguration.
  All these are being reported by ISA as all port scan attacks or well-known 
port scan attacks. Is it really so or am I missing something ? (.. does it have 
anything to do with the NetBIOS settings configured on ISA?)

  Thanks in advance.

  George E. Sartzetakis
  Information Systems Engineer 
  Interworks Ltd.
  60 Vrilissou Str., Athens 114 76
  Tel.: +30 10 6400437, +30 10 6456596
  Fax: +30 10 6471048
  URL: http://www.interworks.gr
  Email: g.sartzetakis@xxxxxxxxxxxxx 

  ------------------------------------------------------
  List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
  ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
  ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
  ------------------------------------------------------
  Exchange Server Resource Site: http://www.msexchange.org/
  Windows Security Resource Site: http://www.windowsecurity.com/
  Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » Port Scan Attack (is it really?)
• » Port Scan Attack (is it really?)
• » RE: Port Scan Attack (is it really?)
• » RE: Port Scan Attack (is it really?)
• » Re: Port Scan Attack (is it really?)

1. Home
2. isalist
3. Archive
4. 10-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---