04/06/2001 08:50:57 Deny 18.104.22.168->xxx.xxx.xxx.xxx 0 sec
UDP PORT 3426 The entries are staggered about 10-30 seconds apart, sometimes more. The Source IP changes every five or so entries. We have been running our firewall for about four months now and this is the first time I have encountered this. I have looked up the source addresses, and most of them appear to be DNSServers. Can you suggest a way to approach this problem or any direction I should take? Any help or insight would be great.
Without knowing what firewall is being used, what your configuration settings are and examining the rest of the logs, I cannot provide a definitive answer. However, what it sounds like is that the firewall is doing what it is supposed to do. It is blocking unauthorized access. Remember that IP addresses are easily forged. So the fact that the access attempts appear to come from DNS servers is not surprising. Valid IPs for DNS servers can be found simply by using the "whois" tool for a few of your favorite domains. Each listing will have the DNS servernames and IP addresses for it. An attacker could simply spoof their attacks to make it look like the attack is coming from there. The fact that the source IP is changing and the entries are spaced apart is an indication that the attacker is trying to "stay under the radar" of intrusion detection systems. What you probably have is nothing more than a PING sweep of your network using a tool that changes the source IP and does a slow scan so as not to be detected. By examination of your logs, you detected it. As long as your network is operating correctly, including your own DNS servers, it is likely that your firewall is simply doing its job. Again though, I can't say for certain without a thorough examination of all the logs. If you are truly concerned, you should consider bringing in a consultant that is familiar with your firewall to do a more thorough analysis than can be provided via "Ask the Expert."
This was first published in April 2001