Re: Port scans through NAT router?

BernieM wrote:
"Duane Arnold" <NotMe@xxxxxxxxx> wrote in message news:PwECf.7931$Hd4.3322@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ohaya wrote:

Hi,

I have Sygate Personal Firewall running on my PC, which is connected to
the Internet via a Netgear NAT router (RT314). I am occasionally getting popups saying that Sygate detected a port
scan, and when I do a backtrace, I can see that they're coming from
various places "outside" my network.

The main reason for this post is that I'm curious, and I don't
understand how that can be happening, because in the Netgear router, I
don't have any ports mapped to my machine's internal IP address at all,
and I definitely don't have the ports that are being reported by Sygate
mapped in the router.

So, my question is "How can these port scans, on those ports, which are
not mapped in the Netgear router, be getting through to my PC?".  I
thought that if I didn't map a given port in the Netgear, that the
router would have nowhere to route any traffic on any unmapped ports?


Well, does the RT314 which I went to the Netgear site and the RT314 is not listed as a product so I can even see the specs for it have SPI (Statefull Packet Inspection)?

http://www.cpx.com/whitepapers/Compex%20SPI%20Firewall.pdf

SPI is also being talked about in the link below too.

http://www.homenethelp.com/web/explain/about-NAT.asp

If the NAT router doesn't have SPI as part of its firmware, then unsolicited packets/probes can come through the NAT router like a hot knife through butter just like they did when I was using a Linksys NAT router that didn't have SPI, which BlackIce I was using behind the NAT router at the time detected the probes coming through the router reaching the machines and stopped them.



SPI itself does not provide the router enough information to do port forwarding. How does it know which internal host to forward these packets to anyhow. I would be looking at the port forwarding rules that are in place.

BernieM


I am going to tell you the conditions where probes came through that NAT router at SQL server running on my machines. And I am also going to say that it happened a few times that BlackIce at the time that I was using on the machine behind the Linksys BEFW11S4 v1 NAT router that had no SPI let the probes through and BI sounded off.

This started happening a couple a years ago when I would leave a machine connected to the Internet to the AT&T NG servers with it on a post where I left the post open which left the NNTP post 119 open on the machine for long periods of time. The machine was left in that state for hours and I had fallen asleep or I got up and left the machine in that state that were using the NT based O/S on the machines with SQL Server running that and the machines didn't go into a lockout mode as I didn't have that set on the machines at that time.

In that condition with port 119 setting open like that, I could see in the Wallwatcher logs IP(s) that where hammering at the router with a couple of those IP(s) making it past the NAT router where BlackIce sounded off about those IP(s) coming at port 1434 the SQL Server port that was being probed.

I produced BI logs showing this happening to the machines explaining there was no port forwarding going on period and yet BI was sounding off about this as I explained this to a couple of Top Guns in this NG at the time. They too asked about this and I showed them what I had at the time and they said nothing else about it to me.

I also did the same thing with the Watchguard that I went to because of what was happening with the Linksys, left BI on the machines and left them in the state above for hours at a time with the WG. Nothing came through that WG -- nothing and BI never sounded off.

No one in this NG can tell me that it didn't happen on my network - no one.

You can come up with all the excuses you want as to what you think may or may not have happened. But you were not there and you were not the one who was having it happening on your network as the probes came through that NAT router that didn't have SPI.

I don't know what the conditions are for the OP where he indicates that probes are coming through the NAT router. It did happen to my network where it forced me to find a better solution where I didn't need something like BlackIce to supplement it or back it up.

Duane :)


.