Strange - my router "reacts" to intrusion attempts

We have a NAT router with SPI protecting our small LAN.

When I go to http://grc.com and run the shields up scan on common ports, it
shows the following ports as open; 21, 23 and 80. If I run the scan again a
few seconds later all ports show as stealthed. If I leave it for a few
minutes and run the scan again the ports are open again.

OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
better to be closed or stealthed the FIRST time an intrusion was attempted?
Can anyone comment on this routers behaviour? I have never seen a router do
this before, is it a potential risk, or is it being very "smart"?

Thanks

Paul

Paul H

From: "Paul H" <>

| We have a NAT router with SPI protecting our small LAN.
|
| When I go to http://grc.com and run the shields up scan on common ports, it
| shows the following ports as open; 21, 23 and 80. If I run the scan again a
| few seconds later all ports show as stealthed. If I leave it for a few
| minutes and run the scan again the ports are open again.
|
| OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
| better to be closed or stealthed the FIRST time an intrusion was attempted?
| Can anyone comment on this routers behaviour? I have never seen a router do
| this before, is it a potential risk, or is it being very "smart"?
|
| Thanks
|
| Paul
|

I wonder if Stateful Packet Inspection has something to do with that... ?


--
Dave

David H. Lipman

Paul H wrote:
> We have a NAT router with SPI protecting our small LAN.
>
> When I go to http://grc.com and run the shields up scan on common ports, it
> shows the following ports as open; 21, 23 and 80. If I run the scan again a
> few seconds later all ports show as stealthed. If I leave it for a few
> minutes and run the scan again the ports are open again.
>
> OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
> better to be closed or stealthed the FIRST time an intrusion was attempted?

yes, you'll need to configure it correctly, I hate to say it, RTFM
(there, that's a first for me) Probably open for remote management
unless you have set up port forwarding rules to real servers. You really
should close off the remote management features, or set the router so it
only accepts them from specific IP addresses or through the VPN

> Can anyone comment on this routers behaviour? I have never seen a router do
> this before, is it a potential risk, or is it being very "smart"?

It's being 'smart', lots of firewalls do this if they think they are
being port scanned. They drop all traffic from the IP address that is
doing the scanning

>
> Thanks
>
> Paul
>
>

Martin

Paul H wrote:
> We have a NAT router with SPI protecting our small LAN.
>
> When I go to http://grc.com and run the shields up scan on common ports, it
> shows the following ports as open; 21, 23 and 80. If I run the scan again a
> few seconds later all ports show as stealthed. If I leave it for a few
> minutes and run the scan again the ports are open again.
>
> OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
> better to be closed or stealthed the FIRST time an intrusion was attempted?
> Can anyone comment on this routers behaviour? I have never seen a router do
> this before, is it a potential risk, or is it being very "smart"?
>
> Thanks
>
> Paul
>
>
It "may" be your ISP firewall interfering as well. I have seen this
occur. Some firewall do block for a set time period, after a threshold
has been met, though the behavior would not be expected in a Nat router.
I suspect your ISP has a firewall that is set to watch for external
scans and blocks the scanner for a few minutes until the activity stops.

Winged

winged

"winged" <> wrote in message
news:d15no7$...
> Paul H wrote:
>> We have a NAT router with SPI protecting our small LAN.
>>
>> When I go to http://grc.com and run the shields up scan on common ports,
>> it shows the following ports as open; 21, 23 and 80. If I run the scan
>> again a few seconds later all ports show as stealthed. If I leave it for
>> a few minutes and run the scan again the ports are open again.
>>
>> OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it
>> be better to be closed or stealthed the FIRST time an intrusion was
>> attempted? Can anyone comment on this routers behaviour? I have never
>> seen a router do this before, is it a potential risk, or is it being very
>> "smart"?
>>
>> Thanks
>>
>> Paul
> It "may" be your ISP firewall interfering as well. I have seen this
> occur. Some firewall do block for a set time period, after a threshold
> has been met, though the behavior would not be expected in a Nat router. I
> suspect your ISP has a firewall that is set to watch for external scans
> and blocks the scanner for a few minutes until the activity stops.

Thanks for the idea, but after further testing that doesn't seem to be
what's happening..

I have also run a sygate quick scan
(http://scan.sygatetech.com/prequickscan.html) and the same ports were
reported as open. I repeated the scan several times and got the same results
each time. I also tried the scan at hackerwatch.com and found the same ports
were also reported as open.

What is going on here? To summarise:

1st scan using grc.com's Shieldsup reports ports 21,23 and 80 are open
2nd scan using grc.com's Shieldsup reports all ports stealthed
Several scans at sygatetech and hackerwatch consistently report these three
ports are open.

Are they open? If they are then it would seem that ShieldsUp is a very
dangerous and misleading tool.

What do you think?

Paul

Paul H