1

I have been investigating logs from the firewall (Juniper) and I've found out that when someone is portscanning my website, the majority of the traffic through different tcp/udp ports is denied (except for ports 80 and 443, which is allowed). However, traffic is allowed through some of the ports that it shouldn't be, for example, ports 4800, 502, 21025, 88. But after inspecting the log it also says 'CLOSE - age out'. Does that mean that the attacker managed to initiate a session but no traffic was sent for a certain amount of time ? Does the attacker get any information from these different responses ? To clarify: I do not have access to check what is the exact firewall configuration.

Gabrielius
  • 67
  • 2
  • 9
  • Some Juniper devices also log "age out" for a TCP reset packet. So its likely the device the firewall passes the request through to does not have the port open and is sending a RST packet. – Hector Nov 14 '17 at 13:59
  • @Hector could you please provide a simple schematic (for better understanding) of the tcp connection you described for it to end in a RST packet ? Also, does that mean that the firewall is allowing the traffic through the mentioned ports ? – Gabrielius Nov 14 '17 at 15:09
  • https://en.wikipedia.org/wiki/Port_scanner#SYN_scanning - "If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with an RST packet, closing the connection before the handshake is completed.[3] If the port is closed but unfiltered, the target will instantly respond with an RST packet." - so in a normal syn based port scan whether the port is open or closed you would expect to see a RST packet. It does suggest the firewall is allowing the packet yes. Why will depend on the firewall config. – Hector Nov 14 '17 at 15:22

1 Answers1

0

Some Juniper devices log TCP RST packets as age out. This is to do with how the ASICs handle the timeout - see here.

A RST packet would be expected behaviour when a SYN based port scanner is allowed through the firewall on a given port. SYN scanners send the initial SYN packet to establish the TCP connection.

  • For a closed port most systems would reject this by sending a RST packet (thus letting the client know and not leaving them to time out).
  • For an open port the client would respond with an ACK. The scanner then (usually) sends a RST so the server knows it can close the connection.
  • Worth noting this could also legitimately be a time out. I.e. a connection is established but no packets are received within the firewalls timeout limit.

If you are seeing age out on those ports it would suggest the packets do make it through the firewall. Without seeing more information from the log, firewall configuration or server configuration it is difficult to speculate on both why these are allowed through and how far through the connection the process gets.

Hector
  • 10,893
  • 3
  • 41
  • 44