Portscanned By Tv

[howto]

This morning my firewall logs showed the following:

[28/Apr/2010 06:46:56]

PORTSCAN firewall="ns1"

hostip="202.170.126.89" hostname="hope.thaivisa.com"

log="protocol: TCP, source: 202.170.126.89, destination: 124.121.190.15,

ports: 1305, 39478, 57974, 29563, 33170, 23979, 5297, 29618, 13239, 50906, ...

Please look into this.

[george]

I have forwarded this to our sysadmin.

[george]

Looks like DNS traffic. Are you using a third party DNS provider?

[howto]

George, I understand your inference...

I do not have a DMZ, or any external servers.

No sir, I do not use a 3'rd party DNS provider.

No sir, it is not DNS traffic.

I confirmed there is a 202.170.126.89, "hope.thaivisa.com".

What is the purpose of this server?

DNS servers do NOT do portscans.

They resolve queries from clients and answer the question posed.

As you know, to portscan is a very big NO NO in the IT world.

It is considered an attack upon the client.

My Firewall.is a dedicated PC,

Heavly modded OS, runs only the firewall software. It is very "locked down".

It connects to the WAN via a USB ADSL modem.

The firewall has a DNS service, it only accepts queries from a "designated segment" of the internal LAN,

It will not reply to queries "outside" the internal LAN.

As the request moves form my computer to the firewall, it will be Natted,

the entry placed into the NAT table and included in the TCP header then sent on it's way.

When the reply comes, the tcp header is decoded, approved if matches the NAT table, and fowarded.

It caches positive replies only, not negative replies, as I modified it.

If my firewall receives a tcp or udp packet with no match in the NAT table it will refuse to accept it,

if multiple requests are recieved to open different ports, it is flagged as a portscan.

The senders IP address is in the header, my firewall will resolve it with a RDNS lookup,

if successful, it is include in the log entry., if fails only the IP address will be in the log entry.

The 1'st portscan occured on [28/Apr/2010 06:46:56] .

It was the only one, until this morning [02/May/2010 08:08:27]

when I've been hit with 12 scans within 90 minutes.

Note my firewall is set to do "minimal" logging.

Note in every portscan, "hope.thaivisa.com" is hitting different and random ports.

[02/May/2010 08:08:27] PORTSCAN firewall="ns1"

hostip="202.170.126.89" hostname="hope.thaivisa.com"

log="protocol: TCP, source: 202.170.126.89, destination: 124.121.185.75,

ports: 7430, 22806, 46954, 35695, 64625, 13961, 30371, 18878, 6335, 22773, ...

[02/May/2010 08:12:51] PORTSCAN firewall="ns1"

ports: 33313, 42293, 61035, 14446, 43384, 62374, 53931, 33244, 56802, 17399, ...

[02/May/2010 08:15:14] PORTSCAN firewall="ns1"

ports: 65024, 13345, 3198, 57997, 38545, 12445, 42434, 49868, 65489, 10732, ...

[02/May/2010 08:24:41] PORTSCAN firewall="ns1"

ports: 58898, 41753, 44835, 57929, 56922, 2158, 22902, 53110, 21665, 20673, ...

[02/May/2010 08:28:12] PORTSCAN firewall="ns1"

ports: 1543, 48685, 62007, 29498, 56145, 14947, 2675, 3043, 5362, 62706, ...

[02/May/2010 08:37:32] PORTSCAN firewall="ns1"

ports: 18453, 55088, 1853, 35903, 7298, 65154, 2692, 8326, 53213, 63709, ...

[02/May/2010 08:46:28] PORTSCAN firewall="ns1"

ports: 23855, 22583, 53099, 48512, 5018, 2462, 17581, 14523, 5338, 56814, ...

[02/May/2010 08:49:35] PORTSCAN firewall="ns1"

ports: 33294, 52784, 61545, 46469, 37540, 43972, 34758, 6126, 54779, 33278, ...

[02/May/2010 08:58:07] PORTSCAN firewall="ns1"

ports: 43276, 31254, 52533, 8822, 1161, 2497, 24273, 57829, 28921, 60926, ...

[02/May/2010 09:27:05] PORTSCAN firewall="ns1"

ports: 43283, 55837, 18463, 26939, 2655, 44136, 59267, 12936, 14762, 31426, ...

[02/May/2010 09:36:39] PORTSCAN firewall="ns1"

ports: 55829, 37145, 28241, 52058, 63651, 40100, 53924, 13494, 8127, 15563, ...

[02/May/2010 09:45:56] PORTSCAN firewall="ns1"

ports: 45844, 10044, 55124, 64092, 20069, 61563, 62615, 18600, 44261, 37876, ...

There are two possibilities...

1 - "hope.thaivisa.com" did portscan my system and continues to do so.

2 - "hope.thaivisa.com" is being spoofed.

In either case it causes concern for both you and I.

Perhaps this should be posted in Internet/Tech forum,

and ask some of the other geeks to please monitor their firewall logs.

Perhaps a larger problem is present.

[howto]

Thought it was finished, was wrong...

[02/May/2010 11:38:41] PORTSCAN firewall="ns1"

hostip="202.170.126.89" hostname="202.170.126.89"

log="protocol: TCP, source: 202.170.126.89, destination: 124.121.185.75,

ports: 53774, 49441, 19750, 6217, 4437, 62368, 15278, 41158, 29919, 39399, ...

[02/May/2010 11:40:56] PORTSCAN firewall="ns1"

ports: 7703, 6186, 56650, 20317, 36984, 17806, 48810, 7598, 47815, 56573, ...

[02/May/2010 11:46:15] PORTSCAN firewall="ns1

ports: 11033, 58415, 53094, 24170, 63083, 44196, 36784, 32979, 1755, 63479, ...

[02/May/2010 11:52:13] PORTSCAN firewall="ns1"

ports: 43277, 25877, 53285, 6000, 59270, 34718, 18594, 10705, 20202, 26354, ...

[02/May/2010 12:32:36] PORTSCAN firewall="ns1"

ports: 48424, 31316, 11356, 35421, 6526, 39568, 35237, 35272, 13297, 6901, ...

[02/May/2010 13:11:29] PORTSCAN firewall="ns1"

ports: 40717, 3876, 42028, 49233, 63614, 39039, 23433, 46528, 15813, 7416, ...

At this point I have totally banned

hostip="202.170.126.89" hostname="hope.thaivisa.com"

Enough is enough.

[angiud]

If TV should do something not perfectly legal, why with Thaivisa name???

[george]

202.170.126.89 is our content delivery server in Bangkok. It communicates with you because you are browsing the forum. Look at the html source for the page we are at now.

[howto]

202.170.126.89 is our content delivery server in Bangkok.

It communicates with you because you are browsing the forum.

Look at the html source for the page we are at now.

Ok, 202.170.126.89 is a content delivery server in Bangkok.

I did examine the html of the page(s). Found nothing to 202.170.126.89.

So why am I being portscanned by a content delivery server in Bangkok.

Yes, I am making requests (as a guest), seems to static.thaivisa.com.

Actually I see static.thaivisa.com, which is "hanging" on it's http reply's.

I get the content, but the page only completes 50%.

I stated no server should be doing portscans.

This began happening very recently.

And when it did, I brought it to your attention.

The first occurrence was a few days ago, and it was only one "hit".

Not today, it continues to occur,

the hits have tripled since my previous post.

Umm, George, lets get down to the grass roots.

If I start the FW, then my station, then go to www.thaivisa. com/forum...

why am I being portscanned by a "content server"?

Well I can offer a suggestion,

perhaps I am being redirected, and the TCP header upon the reply...

does not match my NAT table entry.

Still, even if it does not, the instance would only happen once...

not over, and over, and over.

So seems the tcp header coming from the server I asked for it from,

does not match the FW nat table of the original request.

Hence flagged and deleted.

This concept still does not explain the numerous portscans.

The portscans come at intervals which do NOT coincide with my browsing.

I checked that also.

[george]

We use load balance. Nobody is port scanning your computer. Fix your firewall, my friend!