Strange - my router "reacts" to intrusion attempts

Discussion in 'Computer Security' started by Paul H, Mar 11, 2005.

  1. Paul H

    Paul H Guest

    We have a NAT router with SPI protecting our small LAN.

    When I go to http://grc.com and run the shields up scan on common ports, it
    shows the following ports as open; 21, 23 and 80. If I run the scan again a
    few seconds later all ports show as stealthed. If I leave it for a few
    minutes and run the scan again the ports are open again.

    OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
    better to be closed or stealthed the FIRST time an intrusion was attempted?
    Can anyone comment on this routers behaviour? I have never seen a router do
    this before, is it a potential risk, or is it being very "smart"?

    Thanks

    Paul
    Paul H, Mar 11, 2005
    #1
    1. Advertising

  2. From: "Paul H" <>

    | We have a NAT router with SPI protecting our small LAN.
    |
    | When I go to http://grc.com and run the shields up scan on common ports, it
    | shows the following ports as open; 21, 23 and 80. If I run the scan again a
    | few seconds later all ports show as stealthed. If I leave it for a few
    | minutes and run the scan again the ports are open again.
    |
    | OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
    | better to be closed or stealthed the FIRST time an intrusion was attempted?
    | Can anyone comment on this routers behaviour? I have never seen a router do
    | this before, is it a potential risk, or is it being very "smart"?
    |
    | Thanks
    |
    | Paul
    |

    I wonder if Stateful Packet Inspection has something to do with that... ?


    --
    Dave
    David H. Lipman, Mar 11, 2005
    #2
    1. Advertising

  3. Paul H

    Martin Guest

    Paul H wrote:
    > We have a NAT router with SPI protecting our small LAN.
    >
    > When I go to http://grc.com and run the shields up scan on common ports, it
    > shows the following ports as open; 21, 23 and 80. If I run the scan again a
    > few seconds later all ports show as stealthed. If I leave it for a few
    > minutes and run the scan again the ports are open again.
    >
    > OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
    > better to be closed or stealthed the FIRST time an intrusion was attempted?


    yes, you'll need to configure it correctly, I hate to say it, RTFM
    (there, that's a first for me) :) Probably open for remote management
    unless you have set up port forwarding rules to real servers. You really
    should close off the remote management features, or set the router so it
    only accepts them from specific IP addresses or through the VPN

    > Can anyone comment on this routers behaviour? I have never seen a router do
    > this before, is it a potential risk, or is it being very "smart"?


    It's being 'smart', lots of firewalls do this if they think they are
    being port scanned. They drop all traffic from the IP address that is
    doing the scanning

    >
    > Thanks
    >
    > Paul
    >
    >
    Martin, Mar 11, 2005
    #3
  4. Paul H

    winged Guest

    Paul H wrote:
    > We have a NAT router with SPI protecting our small LAN.
    >
    > When I go to http://grc.com and run the shields up scan on common ports, it
    > shows the following ports as open; 21, 23 and 80. If I run the scan again a
    > few seconds later all ports show as stealthed. If I leave it for a few
    > minutes and run the scan again the ports are open again.
    >
    > OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it be
    > better to be closed or stealthed the FIRST time an intrusion was attempted?
    > Can anyone comment on this routers behaviour? I have never seen a router do
    > this before, is it a potential risk, or is it being very "smart"?
    >
    > Thanks
    >
    > Paul
    >
    >

    It "may" be your ISP firewall interfering as well. I have seen this
    occur. Some firewall do block for a set time period, after a threshold
    has been met, though the behavior would not be expected in a Nat router.
    I suspect your ISP has a firewall that is set to watch for external
    scans and blocks the scanner for a few minutes until the activity stops.

    Winged
    winged, Mar 15, 2005
    #4
  5. Paul H

    Paul H Guest

    "winged" <> wrote in message
    news:d15no7$...
    > Paul H wrote:
    >> We have a NAT router with SPI protecting our small LAN.
    >>
    >> When I go to http://grc.com and run the shields up scan on common ports,
    >> it shows the following ports as open; 21, 23 and 80. If I run the scan
    >> again a few seconds later all ports show as stealthed. If I leave it for
    >> a few minutes and run the scan again the ports are open again.
    >>
    >> OK so the firewall is "reacting" to an intrusion attempt, but wouldn't it
    >> be better to be closed or stealthed the FIRST time an intrusion was
    >> attempted? Can anyone comment on this routers behaviour? I have never
    >> seen a router do this before, is it a potential risk, or is it being very
    >> "smart"?
    >>
    >> Thanks
    >>
    >> Paul

    > It "may" be your ISP firewall interfering as well. I have seen this
    > occur. Some firewall do block for a set time period, after a threshold
    > has been met, though the behavior would not be expected in a Nat router. I
    > suspect your ISP has a firewall that is set to watch for external scans
    > and blocks the scanner for a few minutes until the activity stops.


    Thanks for the idea, but after further testing that doesn't seem to be
    what's happening..

    I have also run a sygate quick scan
    (http://scan.sygatetech.com/prequickscan.html) and the same ports were
    reported as open. I repeated the scan several times and got the same results
    each time. I also tried the scan at hackerwatch.com and found the same ports
    were also reported as open.

    What is going on here? To summarise:

    1st scan using grc.com's Shieldsup reports ports 21,23 and 80 are open
    2nd scan using grc.com's Shieldsup reports all ports stealthed
    Several scans at sygatetech and hackerwatch consistently report these three
    ports are open.

    Are they open? If they are then it would seem that ShieldsUp is a very
    dangerous and misleading tool.

    What do you think?

    Paul
    Paul H, Mar 16, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. James Roper
    Replies:
    0
    Views:
    557
    James Roper
    Dec 16, 2003
  2. Salvatore Ansani

    Log Login attempts :)

    Salvatore Ansani, Apr 12, 2005, in forum: Cisco
    Replies:
    2
    Views:
    3,168
    Salvatore Ansani
    Apr 13, 2005
  3. William R
    Replies:
    0
    Views:
    3,121
    William R
    Aug 22, 2005
  4. SNOW LEOPARD REACTS TO FOVEON IMAGE!

    , Feb 12, 2004, in forum: Digital Photography
    Replies:
    6
    Views:
    280
    AArDvarK
    Feb 13, 2004
  5. §ñühw¤£f

    Brother of slain reporter reacts

    §ñühw¤£f, Apr 6, 2010, in forum: Computer Support
    Replies:
    0
    Views:
    333
    §ñühw¤£f
    Apr 6, 2010
Loading...

Share This Page