A question...


Amy_Amp

 

Posted

Arcana is correct in the assessment here, though I'd disagree on why. More than likely this was the web site behaving in a perfectly normal fashion since browsers by rule open multiple connections to web servers (un tweaked browser settings are usually 8 concurrent, but this often changed http://goo.gl/KpNky). I'd ask what OS, browser, and firewall are you using before going forward, but Arcana is 100% correct in that there is no chance that an actual port scanner would come from 443 (which the HTTPS server is bound to) and scan ports about 1024 (these are the privileged ports in the TCP/IP world) in sets of 4 or so. If anyone wants a more indepth look at how this works downloard Wireshark (its free/OSS) http://www.wireshark.org/ and take a look at some of the videos here: http://www.securitytube.net/video/12

Quote:
Originally Posted by Arcanaville View Post
99.999% this is a false positive. It happens all the time. The log says that the host in question is port scanning your system *from* port 443 (the SSL port) *to* a *small* number of consecutive high ports on your system around 16288.

More likely your own computer was making connections *to* NCsoft from those source ports to port 443 (basically, an HTTPS connection) and for some reason NCSoft's website didn't process those connections correctly or quickly enough. After your workstation closed those ports and opened new ones, at some point NCSoft's web server responded to your computer on those ports not realizing your computer had already closed them. Your firewall saw your computer close those ports so it no longer tracked connections on them. Then it saw packets coming from the web server heading for those ports, those packets were not, as far as it knew, part of existing connections, and it saw a bunch of them heading to a range of consecutive ports in a short time window. So it triggered its port scan IDS signature.

However, the odds of NCSoft sending a port scan *from* port 443 is fairly low, and more significantly no one who port scans would only scan a few ports in the 16000's - that's a worthless scan: nothing runs there generally.

You see this most often when the target server (in this case the web server) is highly loaded or overloaded, or the network connections between client and server are lossy and dropping or misrouting packets, also due to network congestion. You will see, as you mention, bursts of activity like this and it will often trip port scan signatures in many firewalls.


Thorizdin

Lords of the Dead
Old School Legends

 

Posted

Some fun reading:

http://en.wikipedia.org/wiki/Network...rt_translation

In other words: your computer sends HTTPS traffic out on port 443, but when it leaves your router, it's translated to an entirely different port via NAT. Usually a random port number to maintain your anonymity.


 

Posted

Quote:
Originally Posted by Draeth Darkstar View Post
I'm developing an idea...
An AE arc featuring Arcanaville as the world's first silicon-based life form (which is so brilliant it invented itself. Maybe in The Future.) who secretly pulls all the strings behind Paragon City, the Rogue Isles, Praetoria, the Rikti, the Battalion, and everything else...
There's only one problem with that, Draeth.

That has already happened.

The life form's name is Black Pebble.


My guides:Dark Melee/Dark Armor/Soul Mastery, Illusion Control/Kinetics/Primal Forces Mastery, Electric Armor
"Dark Armor is a complete waste as a tanking set."

 

Posted

Quote:
Originally Posted by Nalrok_AthZim View Post
There's only one problem with that, Draeth.

That has already happened.

The life form's name is Black Pebble.
This had me close to smiling, not because of the joke itself, but because I'm convinced that a lot of players really believe this.


"Bombarding the CoH/V fora with verbosity since January, 2006"

Djinniman, level 50 inv/fire tanker, on Victory
-and 40 others on various servers

A CoH Comic: Kid Eros in "One Light"

 

Posted

Quote:
Originally Posted by Thorizdin_LotD View Post
Arcana is correct in the assessment here, though I'd disagree on why. More than likely this was the web site behaving in a perfectly normal fashion since browsers by rule open multiple connections to web servers (un tweaked browser settings are usually 8 concurrent, but this often changed http://goo.gl/KpNky).
The problem is essentially everyone's port scan signatures censors out replies to valid connections, or they would be going off constantly. The replies have to be to connections that were closed, after they were closed. That can only happen if something has gone awry in some way, but the thing that went awry happens commonly on the internet in general.


[Guide to Defense] [Scrapper Secondaries Comparison] [Archetype Popularity Analysis]

In one little corner of the universe, there's nothing more irritating than a misfile...
(Please support the best webcomic about a cosmic universal realignment by impaired angelic interference resulting in identity crisis angst. Or I release the pigmy water thieves.)