Re: SonicWall Scanning Problems

From: Paul Melson (pmelson@gmail.com)
Date: Sun Oct 14 2007 - 09:21:19 EDT

• Next message: Erin Carroll: "Raw sockets vs connect() scanning on windows/linux"
• Previous message: dcampbell@accessdc.com: "SonicWall Scanning Problems"
• In reply to: dcampbell@accessdc.com: "SonicWall Scanning Problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 13 Oct 2007 17:06:35 -0000, dcampbell@accessdc.com
<dcampbell@accessdc.com> wrote:
> After port scanning for fifteen to thirty minutes, the SonicWall begins to send RSTs back
> for every address/port combination we've scanned. It seems to send them back in the
> order we sent them. We're watching all this with WireShark in realtime.
...
> We're using nmap at -T3 (default) speed. If we use -T4 it fails sooner. Connect scans
> also have this problem, although the RST storm clears much quicker. If we have to run at
> -T2 speeds, the scans could literally take weeks to run.

If this is the case, then it's pretty clear that the admin hasn't
successfully disabled synflood protection. That feature may require a
power cycle of the device, not just applying the change.

> Has anyone done assessments of large networks based on SonicWall gear?
> Did you encounter this problem?
> If so, what did you do to correct or work around it.

Yes, and sort of. I wasn't using NMap, but had to switch to full TCP
connect scans and take tcp/1723 (PPTP) out of the scan list. There
was some real weirdness early on with the number of RST's being sent.
I've seen Snort flex_resp and older RealSecure appliances work this
way also, but the SonicWall device sent 10-20 times the necessary
number of RST packets. You may also find this document helpful if you
haven't already seen it:

http://www.sonicwall.com/downloads/SonicOS_TCP_RST.pdf

In a case like this, don't be afraid to go back to the client contact
and explain the situation. Stuff happens. They'll get a warm fuzzy
from knowing that their firewall breaks port scans, anyway. Offer
them the option of low & slow scanning and extending the testing time
frame by several weeks, or they can just hand over the documentation
about what ports are open on what addresses and you'll note the issue
in the deliverable. Seems reasonable to me.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Erin Carroll: "Raw sockets vs connect() scanning on windows/linux"
• Previous message: dcampbell@accessdc.com: "SonicWall Scanning Problems"
• In reply to: dcampbell@accessdc.com: "SonicWall Scanning Problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:09 EDT