deviantart & router firewall log HELP!!!

Angry@VMedia · 10-07-2008, 10:02

Hi!
I was browsing around on deviantart earlier, ok, not such a shock, but checking my firewall log in router and this is what I got:

07/10/2008 09:39:53 **TCP FIN Scan** 192.168.2.4, 2932->> 213.244.185.47, 80 (from WAN Outbound)
07/10/2008 09:39:53 **TCP FIN Scan** 192.168.2.4, 2926->> 198.172.81.42, 80 (from WAN Outbound)
07/10/2008 09:39:53 **TCP FIN Scan** 192.168.2.4, 2999->> 93.188.130.23, 80 (from WAN Outbound)

After running VisualRoute on those IP addresses, it comes up as deviantart.com, now WHY does browsing a site like that set off a TCP FIN scan, and what the heck IS a fin scan?

I am starting to get worried, as I got logs like the above the other night when my partner was browsing YouTube & doing her Bebo account, should I be worried at all by this?

This is the first router that logs router firewall data, as my previous 2 routers in the past have not had this feature, and to me, seeing so called "harmless" websites bring up these errors, I am starting to get a little paranoid.

There is NO harmfull viruses/spyware/malware on my system as I this is a fresh install of XP with only internet security, MSN & firefox installed so far, so I can say for sure that I dont have anything nasty running on my PC (ok, I will ignore the fact that I have XP on my machine lol)

Nemeth · 10-07-2008, 10:31

A quick google returned plenty of references to it, for example:

Quote:

A TCP FIN packet is one sent by a web site that wants to see if you are still on-line and connected to their site. I get them from here at ABX occasionally, for example, when I leave the site but forget to log out. They are generally harmless "are you still here?" packets. BTW, you should still block them.

Quote:

FIN is the Finished flag, I believe. It's used to close a TCP connection. I also think the normal usage is to ACK an unsolicited FIN packet (i.e. if you get a FIN packet from a host you don't share a connection with, you still ACK it).

Quote:

Yep... that's the way it works, unless you tell your network hardware (or directly-connected PC) to igonre it. IMHO, it's best for the typical home user to filter out incoming FIN packets so that you do NOT reply. That's how my router is set up. A remote system will drop the session automatically in the absence of a reply, and theoretically one could locate systems (and potentially exploit them) by use of spurious (FAKE) FIN packets. Thus the Yellow Alert you saw.

HTH...

BTW, outgoing FIN packets are not as much of a security issue, since unless your box has already been compromised, you will be actively ending a comm session that you previously established.

That last sentence is probably relevant since your firewall log suggests the packets were outbound.

Angry@VMedia · 10-07-2008, 10:35

Quote:

Originally Posted by Nemeth

A quick google returned plenty of references to it, for example:

That last sentence is probably relevant since your firewall log suggests the packets were outbound.

Thanks for the info!
How can I block em though?
It's good that it isn't serious, like I said before, Ive never had a router that logs firewall traffic before and was a bit concerned to say the least!

**Rob M** · 10-07-2008, 10:41

Assuming that you have a software firewall installed, and it's set up to stop outbound traffic that you haven't approved, then it's unlikely to be a malicious application performing outbound scans.

A 'FIN' packet is sent by your machine to close its TCP connection with a site (in the case of the log you've posted above, and assuming that your tracert was correct, deviantart.com). Given that all of the packets being sent appear to be targeted at port 80 on the destination server I would guess that you PC is just closing off the HTTP connections that it's made as part of your standard browsing.

Basically, if you're 100% sure that you've a) got a clean build, b) got a software/hardware firewall that filters outbound traffic, and c) the sites listed as the destination IP addresses are sites that you've visited legitimately, then I wouldn't worry

Don't take this the wrong way, I don't know what your level of technical knowledge is, but if that's a bit too technical please let me know and I'll try to be a bit clearer.

Kellargh · 10-07-2008, 10:42

Oooh I didn't know about that and deviantart...I go on there on a very regular basis.

**Rob M** · 10-07-2008, 10:43

Quote:

Originally Posted by Angry@VMedia

Thanks for the info!
How can I block em though?
It's good that it isn't serious, like I said before, Ive never had a router that logs firewall traffic before and was a bit concerned to say the least!

I don't think you really need to worry about it TBH, your router should already be dropping unsolicited incoming packets (anything that your PC hasn't asked for) so it should be dropping any spurious FIN packets in line with that.

Angry@VMedia · 10-07-2008, 10:49

Thanks Rob!
I would like to think that I am quite knowledgeable, I just wasnt too sure as ive never had a logged firewall on router

And I know what you will say when I tell you my internet security package (NIS) but hey, I have a free version I got with my printer (something like 160-odd day free updates or something like that??)

But yes, it does inform me if programs I am running try to access the internet, I know that it pops up asking me when another PC on my network tries to access this pc, but dont know about other sites yet!

Running Firefox with NoScript, and I block everything and deny cookies to everything apart from forums & sites & am registered to, and I never browse "suspect" sites, (why download porn when you can get the real thing!!)

But thanks anyway, I am sorry if I seem to be a pain in the bum recently with posting all these questions, but its new terrortary (spellcheck) to me and I know that if members here can help then they will

**Rob M** · 10-07-2008, 10:51

No problem with NIS (or any other product) if it's doing what you want/need it to do

I dare say that a few other people on here would say different, but I always maintain that there's no 'right' product for all eventualities - it's more about the user sometimes than the solution

As for the questions, don't worry about it - the only stupid question is the one that doesn't get asked

Angry@VMedia · 10-07-2008, 10:54

hehe I guess you are right Rob!
Well I am back off to bed to try and catch up on some well deserved sleep, R&R as i'm like a walking zombie right now!

Thanks again, take it easy

r00t · 10-07-2008, 11:04

What has DeviantArt & your router got to do with the VirginMedia Internet section of the forum?

**Rob M** · 10-07-2008, 11:06

Quote:

Originally Posted by r00t

What has DeviantArt & your router got to do with the VirginMedia Internet section of the forum?

Well spotted, I'm half asleep today

Moved to 'Security & Virus Discussion'.