AEBS always showing ports 21, 554, and 7070 open?

Question

Level 1

10 points

AEBS always showing ports 21, 554, and 7070 open?

Every portscan I run from behind my AEBS to hosts on the outside shows ports 21 (ftp), 554 (rtsp) and 7070 (realserver) open on the destination, even when I know these ports are closed. Is the AEBS spoofing the connects? Wireshark shows a normal 3-way handshake which is very troubling.

Macbook Pro 2.4, Mac OS X (10.5.2)

Posted on May 22, 2008 11:46 PM

Reply

Answer 1

aberrant Author

Level 1

10 points

May 23, 2008 12:31 AM in response to aberrant

Also: firmware 7.3.1 and 7.2.1 exhibit this behavior (haven't tried any others).

Reply

Answer 2

May 24, 2008 7:46 AM in response to aberrant

Hi,

Curious... I'll have to set that up in my lab to try that. I'm guessing the AEBS is functioning in a proxy mode to make NATing FTP and Real Media easier, and the AEBS just responds before it has even checked with the remote host to see if those protocols are even running.

It could be harmless and something you're only going see doing port scanning. On the other hand, it might be the toe hold for launching some sort of bounce attack. My approach to security is to only do the minimum necessary to achieve functionality, so the AEBS would be violating that precept.

1. Does the AEBS do this for other hosts on the LAN side?

2. Does the the AEBS do this when it is in bridge mode?

Bill

Reply

Answer 3

aberrant Author

Level 1

10 points

May 24, 2008 8:27 AM in response to impulse_telecom

Sounds like you and I have the same philosophy re: security.

1) The AEBS does this for all hosts on the LAN side. Windows, UNIX, ... doesn't matter. FTP connects always succeed, even when there's no FTP server running on the remote host.

2) Haven't tested bridge mode.

Please report back with your lab results!

Reply