I recently posted this in another newsgroup and thought y'all would find it interesting as well:
I'm tired of hearing that the most logged firewall events are: "normal", "background noise", "random probes", "people typing in wrong IP addresses",
etc...
These are all vague assertions to explain away something this is admittedly difficult to analyze and explain. When you hear words like "random" and "noise" those are really synonyms for "I don't know!".
We'll I DO know as I've spent the last 18 months processing and analyzing 100,000 firewall events/day. (I'm the operator of myNetWatchman.com). So if you really want to understand this stuff, read on...
Here are some REAL causes for false positives, including links to examples of real incidents captured by mNW:
Some of the sources of false positives are:
a) Slow server responses
Most firewalls block (and log) any inbound traffic for which there wasn't an associated and RECENT outbound request. This means that if you make a request, but the server responds too slowly (e.g. > 1 or 2 seconds), your firewall will consider that response as unsolicited and log it as a probe.
The destination port of all server responses will be in the range of 1025-65535. If you see your firewall log "probes" against these ports AND the source is a server you are communicating with, the are probably just slow server responses.
To complicate matters, your attempt to surf to ONE web site, can actually result in communication with dozens of different hosts--often hosts that would appear to be unaffiliated with the site in question. However, consider cnn.com...some of there content is distributed onto Akamai caching servers....so probes coming from XXXX.akamai.net while surfing to cnn.com are probably just due to a slow cache server.
Example: »
www.mynetwatchman.com/LI ··· =2518142(note: this is a case of an Akamai server providing Real audio content)
If you see UDP probes in these port ranges AND the source is your DNS server...then these are probably slow DNS responses.
b) Proximity probes
Larger web sites maintain mirrored content on many distributed web servers, often in multiple countries. When you first do a DNS lookup of a web site (e.g. www.windowsupdate.com ) the site's load-balancing servers will send "proximity probes" from every location to your IP address. PC's that don't have a firewall will send back a reject packet (ICMP port unreachable) in response to these probes...info in these packets allow the load balancers to
determine which one is "closest" to the user, allowing it to provide the user the IP address of the nearest web server.
Users running firewalls will log these proximity packets as probes (often on tcp/53) because they come from IP addresses that they did not make any outbound request to. This even one content hosting company that provides this capability as part of it's hosting services (mirror-image.com)...when you surf to ANY website hosted by this company, you will be immediately "probed" by over 10 load-balancing servers in 6 countries!
Example: »
www.mynetwatchman.com/LI ··· D=305387Note: This incident is generated by the 3DNS product sold by F5 Networks.
c) Open proxy tests
If you are an IRC user you will likely be probed on several ports everytime you atempt to connect to an IRC server. This to prevent anonomous IRC access through other user's PC's that are unknowning configured to allow proxying.
Example: »
www.mynetwatchman.com/LI ··· =2466138d) Stale IP caches
If you have a dynamic IP address, you will often find that you receive a lot of unsolicted probes when you first obtain a new IP address. This often because the previous user of that IP address was running some applicatio which has cached their IP address somewhere and it's aware that the owner of that IP has changed.
Often the involved applications are Internet game servers, peer-to-peer file/music software (e.g. Gnutella, Napster, Kazaa, audiogalaxy, etc..).
Some of these applications are poorly written to handle this situation and will incessantly pound an IP address thousands of times for many hours. As much as this may seem like an targetted attack, it is really just a function
of poorly written code that gives no considerationation to how many firewall false positives it generates.
Example: »
www.mynetwatchman.com/LI ··· =2529363e) Search-engine bots
Similarly, people often post web content with URLs that contain dynamic IP addresses (e.g. »
123.123.123.123/blah/blah ). Days, weeks, or months
later web search bots may encounter this reference and then attempt to index that site. If you are the unfortunate person to have IP address 123.123.123.123 you now get a few dozen probes from abc.googlebot.com.
Example: »
www.mynetwatchman.com/LI ··· =2482968f) Netbios name lookup from IIS servers
If an IIS server is also has Netbios over TCP/IP enabled, the server will often send Netbios name lookups directly at the users that surf to that site. This is due to IIS's attempt to associate a host name with every IP address that accesses it.
Although this is technically not hostile, it's probably not advisable for webmastsers to enable Netbios on their Internet facing network adapter...nevertheless, this is a common scenario
Example: »
www.mynetwatchman.com/LI ··· =2470765