Recently, a client contacted me to share that their web server’s firewall was busy banning IP addresses from port scanners. Sure enough, a quick peek at the server logs show that there were indeed multiple IP bans lately. Most of these were temporary bans as the firewall did not deem these infractions critical enough to be permanent bans. When looking at the notifications, a particular domain in the ban list caught my eye. It was a microsoft.com domain along with an IP address. A WHOIS lookup shows that this IP does indeed belong to the software giant Microsoft Corp, manufacturer of Microsoft Windows and Microsoft Office. The reason for permanently banning this IP was that the IP itself had too been temporarily banned too many times in a certain time frame. So after a few warnings, the server’s firewall permanently banned this Microsoft IP from hitting the client’s web server again.
184.108.40.206 (US/United States/tide544.microsoft.com)
After some more digging around and research, could this be a case where it is a false positive result for port scanning? Since we do not want to hinder any of MSN’s servers, whether it’s Bing.com or MSN search, from crawling our web sites the more important question is actually should I unban this IP address? Anyone else also experience your firewall banning Microsoft IP addresses for port scanning? What would you do?
4 thoughts on “Microsoft Banned for Port Scanning”
yes. i have had a similar experience, with microsoft ip’s scanning my ports in about bursts of 3 or 4 at 10 minute intervals. i don’t know what to make of it though, and in my search on info, i stumbled across this.
Yup – same here.
Also seeing Google addresses. I have to assume that someone is either IP spoofing or triggering some remote application.
Do you get a list of ports being scanned? And the source port of the scanner?
All of my source ports are either 80 or 443, implying that the remote scanner is running as a privileged operation.
All of the local ports seem to be in the rpc range, the NFS ports and some RTP and RTSP. Nothing significant like SIP, HTTP, FTP or anything that you’d expect from a remote scan…
Yes, I realize this post is a year old.
I see what appears to be port scanning by msnbot quite a bit lately.
*Port Scan* detected from 220.127.116.11 (US/United States/msnbot-65-55-3-135.search.msn.com). 11 hits in the last 241 seconds – *Blocked in csf* for 3600 secs
@eric & @bob, looks like this type of scanning may just be normal practice. It still seems odd that our firewall security is triggered by the practices of such large entities.