1

We have hundreds of clients all over the country who are able to access our website without any problems, but one cannot access our website (guess what, it's a big client!).

Their network support company had a look and they managed to recreate what they thing is the issue - by doing rapid port sniffing they were able to block themselves for accessing our public PORT 80 web site for a couple of days.

Sounds like something on the clients network (trojan maybe?) could be port sniffing when they try to connect to our site. Anyway I'll leave that to them.

Network stuff isn't really my area, but small company / limited budget and all that so I've looked on the server and done some googling but cannot find any info on anything that could temporarily block an IP address that port sniffs it.

It's a fairly basic install of Windows Server 2008 R2.

Can anyone point me in the right direction? For the time being I just want to override this feature for this one client's fixed IP address until we get to the bottom of the issue.

John King
  • 19
  • 1
  • Do you have a firewall on your side (other than just the Windows one) ? – krisFR Jan 15 '14 at 13:03
  • Are you using IIS? What specifically happens when they try (timeout, refused, 500 error, etc)? – Nathan C Jan 15 '14 at 13:40
  • @user2196728 Just the windows firewall. ISP said they don't block traffic. – John King Jan 15 '14 at 13:54
  • @Nathan C Connection refused – John King Jan 15 '14 at 13:55
  • Can you run `netsh wfp show state` and check in the xml ouput file if you have something like `Port Scanning Prevention Filter` ? – krisFR Jan 15 '14 at 14:25
  • @user2196728 you hit the nail on the head there! Any idea how to override it? I can't find much information about it but what I have found just says it can't be turned off for security reasons. – John King Jan 15 '14 at 15:26
  • Can you check in Windows Event Viewer, in Security log, if you have something like `The Windows Filtering Platform has blocked a packet` where source address is the faulty client, and, if found, check for the Destination Port in the message ? – krisFR Jan 15 '14 at 15:45
  • @user2196728 I've turned logging on and it's now logging that event, so I'll ask the client to go to the site in the morning and I'll check the log and get back to you, thanks for your help so far! – John King Jan 15 '14 at 19:15
  • ok, let me know. It will also be useful to trap traffic with `netsh wfp capture start/stop`. Also, even if it is not recommanded, you should try to totally disable the Windows firewall for 5 minutes, just to check if it is an issue with it. – krisFR Jan 15 '14 at 19:35

0 Answers0