Dell Port Scan??

F

Flapjack

2[H]4U
Joined
Apr 29, 2000
Messages
3,207
So I'm at work today, trying to order a new PC for one of our employees. I found a great deal, but still had to get two other quotes to meet auditing requirements.

So I open up both the Dell.com and HP.com website. Shortly after I started trying to find similar Dell and HP PCs, our entire corporate network became unusable. Pings to an external site took between 4000-5000ms. Nobody could pull down a complete web page.

So I start going through the logs on our firewall, and I see these two culprits:

"ISA Server detected an all port scan attack from Internet Protocol (IP) address 143.166.83.38."

"ISA Server detected an all port scan attack from Internet Protocol (IP) address 143.166.224.244."

A whois on these IPs show they belong to Dell.

So I open a command prompt and do a ping to an external IP with a count of 100. While I'm watching the ping window, I close the browser tab that the Dell site is on. Within 2-3 pings, the response time dropped to < 100ms.

So my question is, why would an internal PC going to the Dell website trigger an event that ISA sees as an "all port scan"? I've already contacted the administrative contact for Dell, but there was no answer. Hopefully they return my voicemail. I'd like to find it's something misconfigured on our end, but I really doubt it. Sounds like the Dell webservers are either misconfigured, or subverted...
 
Here's a screenshot of the ISA event:

dell_port_scan.jpg
 
I have not worked with ISA but I have seen other IDS/Firewalls register normal web traffic as a port scan because each element (images, etc.) in a web page is requested separately. This can cause the TCP port to increment by one for quite a range depending upon the site visited. Some signatures mistake this normal port incrementation as a scan.
 
PanzerBoxb said:
I have not worked with ISA but I have seen other IDS/Firewalls register normal web traffic as a port scan because each element (images, etc.) in a web page is requested separately. This can cause the TCP port to increment by one for quite a range depending upon the site visited. Some signatures mistake this normal port incrementation as a scan.
Click to expand...

Same here.
 
PanzerBoxb said:
I have not worked with ISA but I have seen other IDS/Firewalls register normal web traffic as a port scan because each element (images, etc.) in a web page is requested separately. This can cause the TCP port to increment by one for quite a range depending upon the site visited. Some signatures mistake this normal port incrementation as a scan.
Click to expand...
That sounds logical, only it completely took down our internet access. Are you saying basically ISA was misbehaving??
 
Yes, looks to be a false positive. I'm not familiar with ISA, so I'll ask - does it save raw packet data for events so you can inspect? If so, you'd be able to tell pretty easy if it was a genuine threat or not.
 
SpaceHonkey said:
Yes, looks to be a false positive. I'm not familiar with ISA, so I'll ask - does it save raw packet data for events so you can inspect? If so, you'd be able to tell pretty easy if it was a genuine threat or not.
Click to expand...
Not sure. I'll look into that today.
 
Flapjack said:
That sounds logical, only it completely took down our internet access. Are you saying basically ISA was misbehaving??
Click to expand...

Yes, that is my theory based upon experience with other IDS/firewalls using a default ruleset.
 
Have you monitored the ISA server when it is happening? Are system resources going up considerably? Have you watched the traffic flow from the box you access the site from?

It may not be that the site is creating a DOS situation, it may be your ISA server is puking for some reason or other.
 
PanzerBoxb said:
Have you monitored the ISA server when it is happening? Are system resources going up considerably? Have you watched the traffic flow from the box you access the site from?

It may not be that the site is creating a DOS situation, it may be your ISA server is puking for some reason or other.
Click to expand...
It hasn't happened since. I tried to recreate my steps, going through the Dell website to build a PC. Everything is fine. The log is too far back now to check. If it happens again, I'll have to dig a little deeper.

It's an ISA 2004 server. It's not exactly new, but it's never let us down before....
 
Perhaps it was choking on something the Dell site threw back.

It is long odds, but the two issues, network performance and scan hit, could have been separate issues that just coincided.
 
You must log in or register to reply here.
Back
Top