Strange firewall log entries

Strange firewall log entries

An issue with my firewall has come up and I am not sure how to pursue it. About four days ago, a large amount of incoming traffic started showing up in our "Self Log." Currently we deny all incoming traffic. The traffic is all destined for odd high number ports. Here is an example (with my IP represented by x):

04/06/2001 08:51:39 Deny 209.185.242.158->xxx.xxx.xxx.xxx 0 sec
TCP

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

PORT 3359
04/06/2001 08:50:57 Deny 198.235.216.130->xxx.xxx.xxx.xxx 0 sec
UDP PORT 3426

The entries are staggered about 10-30 seconds apart, sometimes more. The Source IP changes every five or so entries.

We have been running our firewall for about four months now and this is the first time I have encountered this. I have looked up the source addresses, and most of them appear to be DNSServers.

Can you suggest a way to approach this problem or any direction I should take? Any help or insight would be great.


Without knowing what firewall is being used, what your configuration settings are and examining the rest of the logs, I cannot provide a definitive answer.

However, what it sounds like is that the firewall is doing what it is supposed to do. It is blocking unauthorized access. Remember that IP addresses are easily forged. So the fact that the access attempts appear to come from DNS servers is not surprising. Valid IPs for DNS servers can be found simply by using the "whois" tool for a few of your favorite domains. Each listing will have the DNS servernames and IP addresses for it. An attacker could simply spoof their attacks to make it look like the attack is coming from there.

The fact that the source IP is changing and the entries are spaced apart is an indication that the attacker is trying to "stay under the radar" of intrusion detection systems.

What you probably have is nothing more than a PING sweep of your network using a tool that changes the source IP and does a slow scan so as not to be detected. By examination of your logs, you detected it. As long as your network is operating correctly, including your own DNS servers, it is likely that your firewall is simply doing its job. Again though, I can't say for certain without a thorough examination of all the logs. If you are truly concerned, you should consider bringing in a consultant that is familiar with your firewall to do a more thorough analysis than can be provided via "Ask the Expert."


This was first published in April 2001