Strange Port Scan

Quote:

---

Originally posted here by AngelicKnight
Ports scanned are: 1183, 1184, 1185, 1186, 1187, 1105, 1104, 1106, 1107 and 1108.

---

These look alot like source ports to me. Imagine the following scenario:

You have say 10 users that go to an SSL site. This SSL site has a server certificate signed by verisign. Every user verifies this certificate. If this happens fast enough and if your portscan threshold is too low the firewall will think it's a portscan.

Quote:

---

During that same time frame, I'm receiving fraudulent Microsoft Certificates from the same IP that are being blocked by the firewall.

---

Why do you think they're fraudulent and why is your firewall blocking certificates?
If we build on the scenario above could it be one of those PC's tries to verify a verisign signed certificate. The response gets blocked by your firewall. Client tries this a couple of times (hence the ascending portnumbers). Firewall thinks it's a portscan.

I don't know how they are determined as fraudulent, they are just described as such by the SonicWALL log. Thanks SirDice.

http://www.dslreports.com/faq/7998Q: Why is my computer trying to contact crl.verisign.net? (#7998)
A: "CRL" is a "Certificate Revocation List", and it's a list of SSL web security certificates that should no longer be trusted. These could have expired, been stolen, or otherwise removed from service, and it's part of a security infrastructure supported by Verisign. Your system is merely trying to get the latest list of revoked certificates so it won't accept them as "valid" any longer. The activity is innocuous and won't hurt anything. You trust Verisign for a lot more than this every day.

It is dumb, however, that visiting crl.verisign.net brings up a list of files whose purpose is not obvious: it raises many more questions than it answers. Many of us believe they ought to put up an "index.html" page that describes why the server there.

Sure its just not your network trying to do this?The possible ip spoof bit seems interesting hmm...

It could be, but I have no idea how to find out. Also, the link for the FAQ came up as invalid. Thanks.

Quote:

---

Originally posted here by therenegade
It is dumb, however, that visiting crl.verisign.net brings up a list of files whose purpose is not obvious: it raises many more questions than it answers. Many of us believe they ought to put up an "index.html" page that describes why the server there.

---

It's supposed to do that. A CRL is usually checked by a program not a person. Then a list is alot simpler to process.

Verisign says that it's just us trying to check on our invalid certificates with their CRL list (or something like that anyway), so the port scans are normal.