We notice a "ACK Port Scan" to Riverbed device, Is anyone seen this before?
We're confirm this not "ACK" scan but somehow caused by riverbed.
An ACK scan is typically used to detect firewall rules. A client sends a TCP header with an ACK flag. If the target server port is open, the server responds with a RST. If the port is closed, no response is sent because the firewall has dropped the packet. An alarm is sent if a threshold of ACKs not associated with any flow between a source and destination IP is being exceeded.
I have not seen this specifically, however this may be related to TCP handshake optimization some devices do, especially related to WAN optimization. If you've confirmed this not an attack, you can set an Alert filter for this.
after further invectigation and understanding riverbed function adn deployment on our network
we conclude thsi as false positive and filter has been made.
I have also seen this traffic
We utilise the Riverbed appliances and we too see the Ack port scans.
It would appear to be normal traffic and we too have applied suppression to the alerts - it may have something to do with the device scanning through for other Riverbeds