 |
|
| > |
QUESTION POSED ON: 16 April 2001
An issue with my firewall has come up and I am not sure how to pursue it. About four days ago, a large amount of incoming traffic started showing up in our "Self Log." Currently we deny all incoming traffic. The traffic is all destined for odd high number ports. Here is an example (with my IP represented by x):
04/06/2001 08:51:39 Deny 209.185.242.158->xxx.xxx.xxx.xxx 0 sec
TCP PORT 3359
04/06/2001 08:50:57 Deny 198.235.216.130->xxx.xxx.xxx.xxx 0 sec
UDP PORT 3426
The entries are staggered about 10-30 seconds apart, sometimes more. The Source IP changes every five or so entries.
We have been running our firewall for about four months now and this is the first time I have encountered this. I have looked up the source addresses, and most of them appear to be DNSServers.
Can you suggest a way to approach this problem or any direction I should take? Any help or insight would be great.
|
|
|
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
Without knowing what firewall is being used, what your configuration
settings are and examining the rest of the logs, I cannot provide a definitive answer.
However, what it sounds like is that the firewall is doing what it
is supposed to do. It is blocking unauthorized access. Remember that IP addresses are easily forged. So the fact that the access attempts appear to come from DNS servers is not surprising. Valid IPs for DNS servers can be found simply by using the "whois" tool for a few of your favorite domains. Each listing will have the DNS servernames and IP addresses for it. An attacker could simply spoof their attacks to make it look like the attack is coming from there.
The fact that the source IP is changing and the entries are spaced apart is an indication that the attacker is trying to "stay under the radar" of intrusion detection systems.
What you probably have is nothing more than a PING sweep of your network using a tool that changes the source IP and does a slow scan so as not to be detected. By examination of your logs, you detected it. As long as your network is operating correctly, including your own DNS servers, it is likely that your firewall is simply doing its job. Again though, I can't say for certain without a thorough examination of all the logs. If you are truly concerned, you should consider bringing in a consultant that is familiar with your firewall to do a more thorough analysis than can be provided via "Ask the Expert."
|
|
|
|
|
|
|
|
Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and
answer pairs from more than 250 TechTarget industry experts.
|
|
|
|
|
|
|
|
|
|
|
|
