# Sonicwall TCP NULL scan



## thegarrett (May 16, 2008)

I am currectly using a Sonicwall TZ180 with the standard OS. Everytime we access the site www.webroster.net we get a Probable TCP NULL scan detected and dissallows access to the site. We have other offices around the country using the same Sonicwalls and these are ok. 

If this cant be sorted. Can we re-route the Browsing for this website through one of our VPN's to a different router?

At the moment we are using a public proxy server to get over this problem which is far from ideal!

Any ideas would be much appreciated


----------



## lensman3 (Oct 19, 2007)

The following is from the nmap manual about TCP NULL scans.
-sR (RPC scan)
This method works in conjunction with the various port scan methods
of Nmap. It takes all the TCP/UDP ports found open and floods them
with SunRPC program NULL commands in an attempt to determine
whether they are RPC ports, and if so, what program and version
number they serve up. Thus you can effectively obtain the same info
as rpcinfo -p even if the target´s portmapper is behind a firewall
(or protected by TCP wrappers). Decoys do not currently work with
RPC scan. This is automatically enabled as part of version scan
(-sV) if you request that. As version detection includes this and
is much more comprehensive, -sR is rarely needed.

Maybe webrouster is trying to setup an RPC connection. Why this is dangerous and then the TZ180 locks you out is confusing. You might try putting something on the router to watch the packets, like tcpdump. It is almost as if something is "snooping" your packets as the packets get routed to webroster.net.

I hope this helps.


----------



## Cellus (Aug 31, 2006)

It could also very well be a false positive. What ports are being probed?


----------



## thegarrett (May 16, 2008)

Various ports ranging from 1087 -1598. This is just really strange its driving me nuts! Like I said ive got other TZ180 in other offices that work fine! I know its not a fix but is there a way of routing web traffic down the VPN and out via our other office?

I will setup tcpdump tomorrow!


Thanks for your time and help!


----------

