I have been getting this odd warning for the past few days. I understand that port 3128 is used by squid proxy servers. I notified the ISP of this as soon as I saw it...they have NO IDEA what's going on, nor do they seem willing to try and fix the problem.
Ideas?
Here's the warning:
[00001] 2009-12-17 09:17:58 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/1057, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times [00002] 2009-12-17 09:17:56 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/2342, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times [00003] 2009-12-17 09:17:09 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/1143, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times
Note that XX is the proxy server and YY is our IP address. Also note that the proxy server is hitting seemingly random ports on our firewall. This seems to happen with greater frequency at night, but I'll get these alarms pretty much any hour of the day.
I decided to scan our firewall myself using nmap using flags -sS -sU -v). When it gets to scanning UDP, the netscreen does NOT give me an alarm, but I get a response back from nmap that says (one example of many):
69/udp open|filtered tftp
Now, I'm not sure how vulnerable this firewall is to attack. I've never really done anything majorly advanced with Netscreens, so I'm not even sure if I have anything to worry about here.
I guess what I really want is to make our firewall as invisible to the Internet as possible. I don't know if "open|filtered" means it's dropping packets, but I doubt it.
For whatever it's worth, the Juniper Netscreen is model NS5XT. Software version is 4.0.1r10.0. I'd try to get support directly from Juniper, but apparently you have to have a "support plan" with them. $$$
Thanks for any help you can give!
Ideas?
Here's the warning:
[00001] 2009-12-17 09:17:58 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/1057, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times [00002] 2009-12-17 09:17:56 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/2342, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times [00003] 2009-12-17 09:17:09 system-alert-00016: Port Scan Attempt has been detected!, From XX.XX.XX.XX/3128 to YY.YY.YY.YY/1143, using protocol TCP (on zone Untrust,interface untrust) occurred 1 times
Note that XX is the proxy server and YY is our IP address. Also note that the proxy server is hitting seemingly random ports on our firewall. This seems to happen with greater frequency at night, but I'll get these alarms pretty much any hour of the day.
I decided to scan our firewall myself using nmap using flags -sS -sU -v). When it gets to scanning UDP, the netscreen does NOT give me an alarm, but I get a response back from nmap that says (one example of many):
69/udp open|filtered tftp
Now, I'm not sure how vulnerable this firewall is to attack. I've never really done anything majorly advanced with Netscreens, so I'm not even sure if I have anything to worry about here.
I guess what I really want is to make our firewall as invisible to the Internet as possible. I don't know if "open|filtered" means it's dropping packets, but I doubt it.
For whatever it's worth, the Juniper Netscreen is model NS5XT. Software version is 4.0.1r10.0. I'd try to get support directly from Juniper, but apparently you have to have a "support plan" with them. $$$
Thanks for any help you can give!
