Problem solve Get help with specific problems with your technologies, process and projects.

Strange firewall log entries

An issue with my firewall has come up and I am not sure how to pursue it. About four days ago, a large amount of incoming traffic started showing up in our "Self Log." Currently we deny all incoming traffic. The traffic is all destined for odd high number ports. Here is an example (with my IP represented by x):

04/06/2001 08:51:39 Deny>xxx.xxx.xxx.xxx 0 sec
04/06/2001 08:50:57 Deny>xxx.xxx.xxx.xxx 0 sec

The entries are staggered about 10-30 seconds apart, sometimes more. The Source IP changes every five or so entries.

We have been running our firewall for about four months now and this is the first time I have encountered this. I have looked up the source addresses, and most of them appear to be DNSServers.

Can you suggest a way to approach this problem or any direction I should take? Any help or insight would be great.

Without knowing what firewall is being used, what your configuration settings are and examining the rest of the logs, I cannot provide a definitive answer.

However, what it sounds like is that the firewall is doing what it is supposed to do. It is blocking unauthorized access. Remember that IP addresses are easily forged. So the fact that the access attempts appear to come from DNS servers is not surprising. Valid IPs for DNS servers can be found simply by using the "whois" tool for a few of your favorite domains. Each listing will have the DNS servernames and IP addresses for it. An attacker could simply spoof their attacks to make it look like the attack is coming from there.

The fact that the source IP is changing and the entries are spaced apart is an indication that the attacker is trying to "stay under the radar" of intrusion detection systems.

What you probably have is nothing more than a PING sweep of your network using a tool that changes the source IP and does a slow scan so as not to be detected. By examination of your logs, you detected it. As long as your network is operating correctly, including your own DNS servers, it is likely that your firewall is simply doing its job. Again though, I can't say for certain without a thorough examination of all the logs. If you are truly concerned, you should consider bringing in a consultant that is familiar with your firewall to do a more thorough analysis than can be provided via "Ask the Expert."

This was last published in April 2001

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.