What's written into the site pages?

[8bitbytes]

I cannot access SatGuys at all with SPI turned on in my router firewall and here is what comes back to me from the firewall email alert:

Dear User
Your router has detected and protected you against an attempt to gain access to your network. This may have been an attempted hacker intrusion, or perhaps just your Internet Service Provider doing routine network maintenance.
Most of these network probes are nothing to be worried about - these types of random probes should NOT be reported, but you may want to report repeated intrusions attempts. Save this email for comparison with future alert messages.

Your router Alert Information

Time: 01/29/2008, 21:19:24
Message: TCP FIN Scan
Source: 65.99.220.89, 80
Destination:71.114.98.177, 2775 (from WAN Inbound)

Time: 01/29/2008, 21:19:39
Message: TCP FIN Scan
Source: 192.168.4.100, 2750
Destination:65.99.220.85, 80 (from WAN Outbound)

 

[KimmiKat]

It may have to do with the advertising pulling data from their own servers. Does this happen when logged in or out. If logged in, the advertising is at a minimum for the Pub members.

 

[LER]

I would love to see a full trace, as well as an explanation of what the router (btw which one?) vendor says causes a fin scan. we run FreeBSD as our os, and this should not cause this.

 

[8bitbytes]

Here is the router:
3Com® OfficeConnect® Cable/DSL Router (3CR858-91) - Features & Benefits

Attached is the SPI page in the Firewall section and the defaults.

If I uncheck the SPI and anti-dos firewall protection, the site loads but if I check it, the site pages come up not found in IE7 and FireFox 2.

 

[8bitbytes]

It may have to do with the advertising pulling data from their own servers. Does this happen when logged in or out. If logged in, the advertising is at a minimum for the Pub members.

I'm logged in. I'm sure there is some discrepancy between how my SPI/anti-DOS is setup and how the server is responding to requests.
I'm sure I just need to change some default values in order to give the server the time to do it's thing.

 

[LER]

are those the default settings? Also, do you have the latest firmware on the router?

(I don't know why we'd be tripping the FIN scan.....)

 

[8bitbytes]

are those the default settings? Also, do you have the latest firmware on the router?

(I don't know why we'd be tripping the FIN scan.....)

Those are the default settings and I have the latest firmware loaded.

Yeah, it is very strange. No other site does it either so it's not like the settings are too rigid.

 

[SatinKzo]

I remember dealing with something like this with a 3com product a couple years ago. Their SPI is sensitive to the number of connectoins being created and used. Also, 3com supoosedly fixed how their units stacked/stored/unstacked the connections and how the SPI handled em, but regardless of what they did in the firmware, there were always some sites that tripped it up.

There was no magic setting to change either, it was hit or miss and very annoying. In older versions there was a hidden page for SPI settings, but I cannot remember how to get into it.

 

[Scott Greczkowski]

I believe its a false alarm.

First we are on FreeBSD, not a Linux box, so it cant (from what I have been reading) do FIN Scans.
Secondly hundreds of thousands of folks access this site each month, no one else is seeing this issue (and we do have some very tech savy folks out there) if this was an issue we would be receiving a lot of complaints about it.

But to be on the safe side I am doing a full security check of our server, its always good the be safe.

 

[8bitbytes]

Sorry to make you spend time on my behalf Scott. I'll see what I can find as far as adjusting the SPI on my router. Obviously, the problem doesn't bother me here at work.

Figures a good deal at NewEgg would make extra work for everyone!

 

[8bitbytes]

UPDATE:

I changed the TCP FIN WAIT from 5 seconds, the default setting, to 30 seconds and everything is fine.

Thanks guys!