Inconsistent SG Security Scan results

[mcfowl]

I put a 2nd router in a DMZ after the ISP provided router, and my household is now behind the 2nd router (using the firewall in the 2nd router). If I run the automated SG Security Scan that cycles through the ports, it shows hundreds of open TCP ports, but when I test several of the purported open TCP ports via scanning a single port at a time (type them in), they show up as filtered. What is the issue w/ this inconsistency in the results?

[Philip]

The firewall in the second router may have some type of DoS/scan protection that kicks in? Once you see the ports closed with individual scans, does a consecutive scan on the range of ports still show them as open?

[mcfowl]

The firewall in the second router may have some type of DoS/scan protection that kicks in? Once you see the ports closed with individual scans, does a consecutive scan on the range of ports still show them as open?

Yes, 4/tcp is the first port shown in the consecutive scan, and if I specify 4 in the single port scan it is filtered, and then I do a consecutive scan again and 4 still shows open.

[Philip]

port 4/tcp shows filtered in both the single and range of ports when I try it on your IP.
Are you scanning the same IP in both cases, i.e. are you behind some type of proxy?

Can you please email (or PM) me a screenshot of the portscans that show open ports and equivalent single-port scan that does not? It will help me troubleshot if I can see a list of ports that are showing up differently, my email is philip [at] sg...net

[Philip]

I just wanted to follow up.. After additional testing with mcfowl, we figured that the culprit was an Actiontec MI424WR gateway - scanning over 100 ports triggers some type of IDS/SYN flood protection that starts dropping packets at random. It happens with both TCP and SYN scans. The behavior only occurs when DMZ is enabled on the router.