Jump to content

Port Scan From Totalchoice Server?

sdempsey

By sdempsey
in Software Talk

 Share

Recommended Posts

sdempsey Apprentice

sdempsey

Posted
Posted

Hi guys, I've noticed this happening a few times and I'm not sure what to make of it.

My firewall (Panda Titanium using TruPrevent heuristics) sometimes reports port scans

during an FTP session with server90.totalchoicehosting.com. The firewall reports the scan, blocks it

and then the connection with the FTP server goes dead. It's a bit confusing. Any ideas ?

Madmanmcp Mentor

Madmanmcp

Posted
Posted

When you attempt to "communicate" on the internet by making a connection to another computer, ftp in this case, several things happen. Your computer sends out a request to the other computer and ask "are you there, ready to receive data?". The other computer responds "yes I am, is this the correct port to use". This is called hand-shaking, trying to setup a connection where both computers are in agreement on how to talk to pone another.

 

What you have done is interfered with this communication and blocked access to your ports. You need to allow this activity because you actualy initiated it. ftp will not work until you allow it.

sdempsey Apprentice

sdempsey

Posted
  • Author
Posted
When you attempt to "communicate" on the internet by making a connection to another computer, ftp in this case, several things happen. Your computer sends out a request to the other computer and ask "are you there, ready to receive data?". The other computer responds "yes I am, is this the correct port to use". This is called hand-shaking, trying to setup a connection where both computers are in agreement on how to talk to pone another.

 

What you have done is interfered with this communication and blocked access to your ports. You need to allow this activity because you actualy initiated it. ftp will not work until you allow it.

 

I understand about the SYN ACK cycle. SOmetimes I can FTP data to/from the server perfectly well (I'm not using passive mode) and other times I can't, which is genuinely confusing. It could be that when network traffic is high and the roundtrip time is uneven, the syn-ack cycle looks irregular to the Panda intrusion detection software. This could explain why panda thinks the total choice server is initiating a port scan but it could also be that totalchoice have proxy servers which are confusing my intrusion detection software by sending acks back from a different IP.

I was wondering whether your servers do port scan clients that appear to behave irregularly. Also, we're experiencing very sluggish FTP performance from this server over the past few days which is increasing the problem.

TCH-Bruce Grand Master

TCH-Bruce

Posted
Posted

TCH does not use any proxy servers. You should be using passive mode for FTP as well.

 

I you are experiencing poor performance using FTP I would open a ticket with the help desk. I would also run a trace to your site from your computer to be sure it is not a routing issue from your location to the server.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...