Sonicwall TCP NULL scan

thegarrett · 05-16-2008, 09:26 AM

I am currectly using a Sonicwall TZ180 with the standard OS. Everytime we access the site www.webroster.net we get a Probable TCP NULL scan detected and dissallows access to the site. We have other offices around the country using the same Sonicwalls and these are ok.

If this cant be sorted. Can we re-route the Browsing for this website through one of our VPN's to a different router?

At the moment we are using a public proxy server to get over this problem which is far from ideal!

Any ideas would be much appreciated

lensman3 · 05-22-2008, 08:04 PM

The following is from the nmap manual about TCP NULL scans.
-sR (RPC scan)
This method works in conjunction with the various port scan methods
of Nmap. It takes all the TCP/UDP ports found open and floods them
with SunRPC program NULL commands in an attempt to determine
whether they are RPC ports, and if so, what program and version
number they serve up. Thus you can effectively obtain the same info
as rpcinfo -p even if the target´s portmapper is behind a firewall
(or protected by TCP wrappers). Decoys do not currently work with
RPC scan. This is automatically enabled as part of version scan
(-sV) if you request that. As version detection includes this and
is much more comprehensive, -sR is rarely needed.

Maybe webrouster is trying to setup an RPC connection. Why this is dangerous and then the TZ180 locks you out is confusing. You might try putting something on the router to watch the packets, like tcpdump. It is almost as if something is "snooping" your packets as the packets get routed to webroster.net.

I hope this helps.

**Cellus** · 05-22-2008, 09:39 PM

It could also very well be a false positive. What ports are being probed?

thegarrett · 05-26-2008, 01:41 PM

Various ports ranging from 1087 -1598. This is just really strange its driving me nuts! Like I said ive got other TZ180 in other offices that work fine! I know its not a fix but is there a way of routing web traffic down the VPN and out via our other office?

I will setup tcpdump tomorrow!

Thanks for your time and help!

05-16-2008, 09:26 AM	#1 (permalink)
thegarrett Registered User Join Date: May 2008 Posts: 2 OS: Windows XP SP2	Sonicwall TCP NULL scan I am currectly using a Sonicwall TZ180 with the standard OS. Everytime we access the site www.webroster.net we get a Probable TCP NULL scan detected and dissallows access to the site. We have other offices around the country using the same Sonicwalls and these are ok. If this cant be sorted. Can we re-route the Browsing for this website through one of our VPN's to a different router? At the moment we are using a public proxy server to get over this problem which is far from ideal! Any ideas would be much appreciated

05-22-2008, 08:04 PM	#2 (permalink)
lensman3 Registered User Join Date: Oct 2007 Location: Littleton, Colorado USA Posts: 470 OS: xp 64 sp2 Fedora Core 8 (vmware xp core 8 x32) Minix	Re: Sonicwall TCP NULL scan The following is from the nmap manual about TCP NULL scans. -sR (RPC scan) This method works in conjunction with the various port scan methods of Nmap. It takes all the TCP/UDP ports found open and floods them with SunRPC program NULL commands in an attempt to determine whether they are RPC ports, and if so, what program and version number they serve up. Thus you can effectively obtain the same info as rpcinfo -p even if the target´s portmapper is behind a firewall (or protected by TCP wrappers). Decoys do not currently work with RPC scan. This is automatically enabled as part of version scan (-sV) if you request that. As version detection includes this and is much more comprehensive, -sR is rarely needed. Maybe webrouster is trying to setup an RPC connection. Why this is dangerous and then the TZ180 locks you out is confusing. You might try putting something on the router to watch the packets, like tcpdump. It is almost as if something is "snooping" your packets as the packets get routed to webroster.net. I hope this helps.

05-22-2008, 09:39 PM	#3 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: Sonicwall TCP NULL scan It could also very well be a false positive. What ports are being probed? __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate!

05-26-2008, 01:41 PM	#4 (permalink)
thegarrett Registered User Join Date: May 2008 Posts: 2 OS: Windows XP SP2	Re: Sonicwall TCP NULL scan Various ports ranging from 1087 -1598. This is just really strange its driving me nuts! Like I said ive got other TZ180 in other offices that work fine! I know its not a fix but is there a way of routing web traffic down the VPN and out via our other office? I will setup tcpdump tomorrow! Thanks for your time and help!