Ask the Expert

Interpretting firewall security alert messages

I have been receiving these security alert messages from our firewall nearly every day:

TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] TCP Packet - Source:210.7.0.36,3473 Destination:210.7.12.23,135 - [DOS] Thu, 2006-10-19 16:30:03 – UDP Packet - Source:192.168.1.111,1443 Destination:202.62.124.238,53 - [Any(ALL) match]

What is this?

    Requires Free Membership to View

I'd need more information to know for sure, such as the IP addresses in your network topology map. Still, given what you have provided, we see an attempted connection to a mail server (TCP port 25) on your internal network (192.168 IP addresses are used for internal networks and are non-routable across the Internet.). Next, it looks like one of your own Windows machines tried to connect to another Windows system. This was done via Windows file and printer sharing with NetBIOS over TCP (TCP port 135). And, finally, one of your internal systems (again, based on the 192.168 address) most likely tried to send a domain name system request (UDP port 53). Each of these by themselves is innocuous. Someone may have mis-configured or mistyped an IP address, which then caused these packets to be sent. Or, perhaps some script kiddies were doing some widespread scans, and you fell into their cross hairs. Either way, your firewall is most likely doing its job and blocking this type of access.

If you want to get more information, I recommend that you configure a sniffer, such as the easy-to-use Wireshark tool. You can then sniff traffic on the internal interface of your router, and look for additional packets coming from 144.120.8.89 and 202.62.124.238. As another option, if you can get access to any of the 192.168 machines here (or any others for that matter), and they are Windows machines, you can run this command to get more details about what is going on:

C:> netstat –nao 1 | find "[IP_addr_of_other_side" | find "[port]"

The netstat command shows TCP and UDP ports that are in use. The –n means that we want numbers (not names) of ports and machines. The –a indicates our preference for all traffic. The –o means that we want the Process ID (PID) of the program using that port. The 1 will make this command run every second, again and again.

Then, the output is scraped for any indication of the IP address of the other side. Look for packets going to or from the ports in question, namely 25, 135, and 53. Let the command run for a little while, and see if and when one of the machines sends such a packet. When it does, look at the PID, and find it in Task Manager. If using Windows XP, 2003 or Vista, you can also use this command:

C:> wmic process list brief

Then, you'll know the process sending it, so you can check whether it is valid, and you can look over its configuration.

More information:

  • Use a packet sniffer to determine whether an email message is encrypted or not.
  • Visit SearchSecurity.com's network firewall resource center.
  • This was first published in February 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: