Just off the top of my head:
What are the packet flags of the incoming packets? Assuming that all the
incoming packets have the ACK flag set, this could be an attempt to bypass
packet filtering. Often times sites will block incoming connections to most
ports, unless the ACK flag on the packet is set (supposedly meaning that the
packet is part of an established connection). So if your rules allowed
packets with the ACK bit set this would allow these packets to get past your
firewall. The fact that the scans are looking for ports over 1024 probably
means that the scanner has no interest in common services but is looking for
a specific server or set of servers. The two most common servers that live
above 1023 (read: non-privledged ports) are X and RPC. A lot of firewall
rules leave ports above 1024 open, because this is basically required for
external connections (cliets open ports above 1023 to talk to external
servers). They might be hoping for a rule that allows all packets over port
1023 and that they may get lucky and find X or an RPC service running.
Your best defense is to make sure that you don't have any servers running on
ports over 1023. A simple netstat should clear this up. If you do, and
they aren't there intentionally, shut them down. If they must run, make
sure they are sufficiently protected.
ahp
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
