dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI
| Zywall 2+ Attack Detection
I have this in my log.
2008-07-14 17:58:26 ports scan UDP (L to WL) 192.168.0.3:4552 192.168.10.2:9601 ATTACK
I am wondering if this is allowed to pass and is logged just because I said log attacks, or if its being blocked?
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
|
|
smurflurf
join:2007-12-18
Whittier, CA | When it displays ATTACK in the logs it usually indicates that the ZyWALL picked it up and blocked the attempt... I see these as the firewall doing its job... |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI
| reply to dnoyeB
Not doing its job because this was supposed to be allowed. I'm hoping its not blocking this because if it is I have no way to allow it.
Trying to figure out if this is really what is happening.
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor man's wisdom [is] despised, and his words are not heard. " Ecclesiastes 9:16
|
|
dslpartner
join:2005-02-18
| said by dnoyeB  :Not doing its job because this was supposed to be allowed. I'm hoping its not blocking this because if it is I have no way to allow it. Trying to figure out if this is really what is happening. Its doing its job, because it belives its a port scan.
What kind of traffic is it that you are trying to push through it then, is the portscan the zywall reports a false positive? |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI
edit:
July 17th, @07:43AM
| I don't know if its a false positive or not. What I do know is that all traffic from LAN to WLAN is supposed to be allowed. So I can't see how blocking traffic fits in with doing its job.
The traffic in question is generated by me within my network, so I want this traffic to pass. Whether it can be considered a proper port scan or not I don't know. Its part of UPNP traffic I believe.
Maybe it is a false positive because there is no scanning of ports. All the traffic according to the log is targeted at the same port. Rather odd traffic.
11 2008-07-16 17:59:40 ports scan UDP (L to WL) 192.168.0.3:1039 192.168.10.2:8466 ATTACK
12 2008-07-16 17:59:39 ports scan UDP (L to WL) 192.168.0.3:1037 192.168.10.2:8466 ATTACK
13 2008-07-16 17:59:39 ports scan UDP (L to WL) 192.168.0.3:1035 192.168.10.2:8466 ATTACK
14 2008-07-16 15:19:25 ports scan UDP (L to WL) 192.168.0.3:4236 192.168.10.2:8066 ATTACK
15 2008-07-16 15:19:24 ports scan UDP (L to WL) 192.168.0.3:4234 192.168.10.2:8066 ATTACK
16 2008-07-16 15:19:23 ports scan UDP (L to WL) 192.168.0.3:4232 192.168.10.2:8066 ATTACK
--
dnoyeB
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard. " Ecclesiastes
9:16
|
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | The Attack detection on Zywall 2/5/35/70 is too sensitive in my opinion and there are far too many false positives on "LAN to XXX" in my opinion. |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI | How do I turn it off or adjust it? |
|
dickmead
join:1999-08-22
Pasadena, CA | On my Zywall 2+, it's in Security/Firewall/Threshold
You could disable it outright, or play with threshold settings.
I haven't had to. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | reply to dnoyeB
I've always had to disable LAN on Security > Firewall > Threshold |
|
dnoyeB
Ferrous Phallus
join:2000-10-09
Southfield, MI | reply to dnoyeB
I thought those were only for DOS attacks? Port scan is a DOS attack? |
|
dslpartner
join:2005-02-18
| »en.wikipedia.org/wiki/Denial-of-···e_attack
So yes, if you go by the definition, then a port scan can tie up the resources of the target host, which can lead to it being unable to perform tasks. |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs:
| Sure but we all know a simple nmap port scan doesn't cause a DoS attack. More serious are the false positives in zw2/5/35/70 family that luckily are not see in zw1050/USG300 family. The number of false positives and immediate blocking are why I disable LAN on Security > Firewall > Threshold for zw2/5/35/70 firewalls. |
|
dslpartner
join:2005-02-18
| I am not familiar what actually triggers a portscan attack false positive, but you can use a portscan to create problems and if it does its considered a DoS.
I agree that the tresholds on the ZyWALLs are to low, but its a stretch to say the device is not doing its job, albeit not 100% correctly its still trying to do the tasks stowed upon it within the parameters that are programmed for it.
The question is, can you change the settings to fit your expected behaviours or is this hardcoded somewhere. And can we get ZyXEL to help us tune it to our personal likings.
--
"Perl is executable line noise, Python is executable pseudo-code." |
|
bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
clubs: | its an issue of control. I didn't say the firewall isn't doing its job, the issue is "ALL OR NOTHING" as you have no real control. |
|
