Verizon FIOS filtering?

Harry_Hoffman · March 16, 2013, 7:35pm

Hi All,

Does anyone know if Verizon automatically performs network filtering in
response to scanning behavior?

I'm having some weird connectivity issues to a host and trying to figure
out why.

Cheers,
Harry

Joseph_J_Jsnyder_III · March 18, 2013, 12:50pm

Did you ever resolve this?

Harry_Hoffman · March 18, 2013, 12:57pm

Hi All,

Sorry, got pulled away on other projects. No, still trying to figure out
what's going on. This is traffic originating from FIOS's network.

I have a host located in a .edu that is configured to send back icmp
host prohibited replies for connections that aren't specifically allowed
in the host based firewall.

The .edu border routers filter very little (standard MS ports
135,137,139,445 udp/tcp).

I can ssh from my verizon fios router (a linux box) to my .edu host
(also a linux box).

If I run nmap -sT -Pn <.edu host> I'll get back different results of
what ports are filtered. I assume that this is a result of what nmap
decides to cache when it receives the ICMP messages.

Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-16 14:53 EDT
Nmap scan report for some.host.edu (123.45.67.89)
Host is up (0.028s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
23/tcp filtered telnet

Nmap done: 1 IP address (1 host up) scanned in 3.78 seconds
[hhoffman@firefly ~]$ nmap -Pn -sT some.host.edu

Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-16 14:53 EDT
Nmap scan report for some.host.edu (123.45.67.89)
Host is up (0.034s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
199/tcp filtered smux

Nmap done: 1 IP address (1 host up) scanned in 20.43 seconds
[harryh@firefly ~]$ nmap -Pn -sT some.host.edu

Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-16 14:56 EDT
Nmap scan report for some.host.edu (123.45.67.89)
Host is up (0.078s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
111/tcp filtered rpcbind
256/tcp filtered fw1-secureremote
3389/tcp filtered ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 2.52 seconds
[hhoffman@firefly ~]$ nmap -Pn -sT some.host.edu

Starting Nmap 6.01 ( http://nmap.org ) at 2013-03-16 14:56 EDT
Nmap scan report for some.host.edu (123.45.67.89)
Host is up (0.030s latency).
All 1000 scanned ports on some.host.edu (123.45.67.89) are closed

For a short period of time after the scans commence I'm not able to
connect from my FIOS host to my .edu host on tcp/22, a port that is
specifically allowed in the .edu host's firewall rules.

There is no software on either end that would perform any tarpit-like
functionality.

Cheers,
Harry

Joseph_J_Jsnyder_III · March 18, 2013, 3:13pm

Are you sure the edu isn't triggering any sort of filtering on host that do scanning?