Q

Strange firewall log entries

An issue with my firewall has come up and I am not sure how to pursue it. About four days ago, a large amount of incoming traffic started showing up in our "Self Log." Currently we deny all incoming traffic. The traffic is all destined for odd high number ports. Here is an example (with my IP represented by x):

04/06/2001 08:51:39 Deny 209.185.242.158->xxx.xxx.xxx.xxx 0 sec
TCP PORT 3359
04/06/2001 08:50:57 Deny 198.235.216.130->xxx.xxx.xxx.xxx 0 sec
UDP PORT 3426

The entries are staggered about 10-30 seconds apart, sometimes more. The Source IP changes every five or so entries.

We have been running our firewall for about four months now and this is the first time I have encountered this. I have looked up the source addresses, and most of them appear to be DNSServers.

Can you suggest a way to approach this problem or any direction I should take? Any help or insight would be great.


Without knowing what firewall is being used, what your configuration settings are and examining the rest of the logs, I cannot provide a definitive answer.

However, what it sounds like is that the firewall is doing what it is supposed to do. It is blocking unauthorized access. Remember that IP addresses are easily forged. So the fact that the access attempts appear to come from DNS servers is not surprising. Valid IPs for DNS servers can be found simply by using the "whois" tool for a few of your favorite domains. Each listing will have the DNS servernames and IP addresses for it. An attacker could simply spoof their attacks to make it look like the attack is coming from there.

The fact that the source IP is changing and the entries are spaced apart is an indication that the attacker is trying to "stay under the radar" of intrusion detection systems.

What you probably have is nothing more than a PING sweep of your network using a tool that changes the source IP and does a slow scan so as not to be detected. By examination of your logs, you detected it. As long as your network is operating correctly, including your own DNS servers, it is likely that your firewall is simply doing its job. Again though, I can't say for certain without a thorough examination of all the logs. If you are truly concerned, you should consider bringing in a consultant that is familiar with your firewall to do a more thorough analysis than can be provided via "Ask the Expert."


This was first published in April 2001

Dig deeper on Network Firewalls, Routers and Switches

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close