MessageYou'll notice that all of the blocked packets were trying to use NetBIOS ports (137, 139). Unless you're publishing an RPC server, you want this stuff blocked. The ones where your ISA is making a call to another host using TCP-137 is where the ISA couldn't resolve the IP to a name using DNS and fell back to NetBIOS queries. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: g.sartzetakis@xxxxxxxxxxxxx To: [ISAserver.org Discussion List] Sent: Friday, October 25, 2002 12:35 AM Subject: [isalist] Port Scan Attack (is it really?) http://www.ISAserver.org Hello all, my IP Packet filter logs are being filled up with records of the kind .. 2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.52.1 Tcp 139 1921 ACK BLOCKED ... 2002-10-25 07:05:47 xxx.xxx.xxx.xxx 192.168.110.1 Tcp 139 1922 ACK BLOCKED ... 2002-10-25 07:06:12 xxx.xxx.xxx.xxx AAA..AAA..AAA.AAA Udp 1027 137 - BLOCKED ... 2002-10-25 07:06:13 xxx.xxx.xxx.xxx BBB.BBB.BBB.BBB Udp 1027 137 - BLOCKED ... where AAA.AAA.AAA.AAA and BBB.BBB.BBB.BBB are the IP's of ISA on the external interface and xxx.xxx.xxx.xxx various IP's from the outside world Also, the internal IP's shown above do not exist in my organization nor are part of the ISA LAT conffiguration. All these are being reported by ISA as all port scan attacks or well-known port scan attacks. Is it really so or am I missing something ? (.. does it have anything to do with the NetBIOS settings configured on ISA?) Thanks in advance. George E. Sartzetakis Information Systems Engineer Interworks Ltd. 60 Vrilissou Str., Athens 114 76 Tel.: +30 10 6400437, +30 10 6456596 Fax: +30 10 6471048 URL: http://www.interworks.gr Email: g.sartzetakis@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')