I do review our firewall logs, and do what I can to keep them clear of stuff coming from my network. Even so, there is still a lot of stuff there. One particular IP address had been port-scanning us very persistently for weeks. Last Thursday I finally had enough and looked into it.
The weird thing about the log-lines was that the source TCP port was TCP/443. The target ports were the usual assortment of high-order ports. Most odd.
The reverse lookup of that IP didn't give me anything. However, an openssl query to see what SSL certificate it was offering did give me information.
One of our cloud-app providers.
Wha?
Time to sniff packets. And sniff I did. I got a couple minutes and it was long enough to get a few port-scan attempt log-entries. After correlating the source/target port numbers one pattern was pretty clear:
The cloud-app provider was issuing double RST packets after receiving a FIN packet from our side. The first RST tore down the connection as far as the Firewall was concerned, which made the second one seem like a packet from nowhere with strange flags on it and therefore suspicious.
I did helpfully tell said cloud-app provider about this, and they send back a, "situation normal, nothing to see here," reply, and googling around does show some systems do use a double-RST method for tearing down connections. I'm not sure why this is a good idea in some cases, but it's pretty clear our firewall doesn't like it. At least this is a bit of log-spam I can now safely ignore.
The weird thing about the log-lines was that the source TCP port was TCP/443. The target ports were the usual assortment of high-order ports. Most odd.
The reverse lookup of that IP didn't give me anything. However, an openssl query to see what SSL certificate it was offering did give me information.
One of our cloud-app providers.
Wha?
Time to sniff packets. And sniff I did. I got a couple minutes and it was long enough to get a few port-scan attempt log-entries. After correlating the source/target port numbers one pattern was pretty clear:
The cloud-app provider was issuing double RST packets after receiving a FIN packet from our side. The first RST tore down the connection as far as the Firewall was concerned, which made the second one seem like a packet from nowhere with strange flags on it and therefore suspicious.
I did helpfully tell said cloud-app provider about this, and they send back a, "situation normal, nothing to see here," reply, and googling around does show some systems do use a double-RST method for tearing down connections. I'm not sure why this is a good idea in some cases, but it's pretty clear our firewall doesn't like it. At least this is a bit of log-spam I can now safely ignore.