so would it be
shun 333.333.333.333 0.0.255.255 [x.x.x.x sport 25 [ip]]?
Main Topics
Browse All Topics
Loading Advertisement...
Question
Blocking IPs
I have an exchange server that's being attacked I believe. The IP ranges are from 219.x.x.x to 222.x.x.x. How do I block these IPs in a Pix 506 firewall using version 6.2?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
The problem with shun is that it doesn't have the facility to accept a subnet mask, it is for single IP address only (look in the syntax given for the command, are any of the parameters a mask ?).
If you want to block a range of IP addresses, you need to use an access-list. Chances are that you already have an access-list that is applied to the outside interface of your PIX, so you should only need to add rules to it.
As ManMaddy said, blocking such a large range of IP's could cause problems, but if you need to block it then do it, just remember to remove the block when the attack has finished. If the attack continues, then you should look into reporting it to the ISP/s that have been allocated the address range/s.
An example ACL would be:
access-list 101 deny ip 219.0.0.0 255.225.255.0 host <exchange_server_ip>
access-list 101 deny ip 220.0.0.0 255.225.255.0 host <exchange_server_ip>
access-list 101 deny ip 221.0.0.0 255.225.255.0 host <exchange_server_ip>
access-list 101 deny ip 222.0.0.0 255.225.255.0 host <exchange_server_ip>
If you are using NAT, make sure you put in the "real" IP address of your Exchange server, as this will be where the traffic is directed to. Also make sure that you put the lines above any lines in the ACL that allow access to your Exchange server, as it stops on the first match, so if it sees a "permit" before a "deny" then the traffic will be allowed.
If the attack is directed at a particular port, then you could block just that port (eg. I'm thinking SMTP), using an ACL like:
access-list 101 deny ip 219.0.0.0 255.225.255.0 host <exchange_server_ip> eq 25
May I suggest that rather than block out a whole section of the Internet that you look at an IPS or something similar which can see anomolous traffic and block it as it comes? If it is just your mail server think about a host-based IDS that will drop rubbish at the interface.
trimmer11 !!!
<snip>
That entire subnet belongs to Asia, so who cares if you block it. They are unmonitored and do not have any recorse for improper use. I block N Korea subnets myself for this very issue.
<snip>
What? What an incredibly ridiculous generalisation. I have done several implementations in Korea and they have some of the most sophisticated SOCs in the world. Multi-tiered heterogenous firewall environments years ahead, in some cases, of their US corporate counterparts.
Unmonitored? How monitored is your home DSL network? Monitored by the FBI maybe but they aren't there to stop attempted attacks. The cybercrime divisions of the police in South Korea, Taiwan and Hong Kong are some of the most advanced in the world. If you have an issue with traffic from a source there (and I am assuming that you have the skills to trace it) then you can report it in the same manner as you would do any law enforcement agency in the US, Europe or Australia.
Also I think you should have a look at the amount of malignant traffic flying around the world sourced from US networks - the statistics back me up. (I am making an assumption that you are American, typically I see only this kind of ignorance from a *few* people there - who I have been told are an embarrassment to globally aware Americans)
You have written off the whole of Asia and I personally take offence - you know not of what you speak. I suppose nobody in the US does business with anyone in the whole of Asia? Also this is a *global forum* - please treat people from other continents here with respect.
Let's take a step back here guys, firstly before someone kicks off World War 3, and secondly because there is no real evidence that staboogie is being attacked !
Staboogie - what leads you to believe your Exchange server is being attacked ? Do you have some logs to show ?
If it's large amounts of SPAM you're suffering from, then the blacklists from orbs, spamhaus etc should do this, in conjunction with a good Exchange mail content filtering application (eg MAIL Sweeper).
There is also built-in IDS functionality on the PIX that you can configure with the 'ip audit' command - maybe this will show you whether or not these are 'real' attacks ?
Here they are. Netstat from my exchange server
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1028 127.0.0.1:1070 ESTABLISHED
TCP 127.0.0.1:1065 127.0.0.1:1069 ESTABLISHED
TCP 127.0.0.1:1069 127.0.0.1:1065 ESTABLISHED
TCP 127.0.0.1:1070 127.0.0.1:1028 ESTABLISHED
TCP 127.0.0.1:1077 127.0.0.1:1081 ESTABLISHED
TCP 127.0.0.1:1081 127.0.0.1:1077 ESTABLISHED
TCP 127.0.0.1:1082 127.0.0.1:1086 ESTABLISHED
TCP 127.0.0.1:1086 127.0.0.1:1082 ESTABLISHED
TCP 127.0.0.1:1088 127.0.0.1:1092 ESTABLISHED
TCP 127.0.0.1:1092 127.0.0.1:1088 ESTABLISHED
TCP 127.0.0.1:1155 127.0.0.1:1158 ESTABLISHED
TCP 127.0.0.1:1158 127.0.0.1:1155 ESTABLISHED
TCP 192.168.10.18:25 4.8.104.83:3329 TIME_WAIT
TCP 192.168.10.18:25 4.47.223.97:2521 TIME_WAIT
TCP 192.168.10.18:25 12.217.237.149:2447 TIME_WAIT
TCP 192.168.10.18:25 12.217.237.149:4874 TIME_WAIT
TCP 192.168.10.18:25 24.1.139.140:4033 TIME_WAIT
TCP 192.168.10.18:25 24.2.23.195:3882 TIME_WAIT
TCP 192.168.10.18:25 24.6.154.100:3814 TIME_WAIT
TCP 192.168.10.18:25 24.10.2.211:4647 TIME_WAIT
TCP 192.168.10.18:25 24.14.74.39:34764 CLOSE_WAIT
TCP 192.168.10.18:25 24.14.74.39:60364 TIME_WAIT
TCP 192.168.10.18:25 24.20.99.218:4688 TIME_WAIT
TCP 192.168.10.18:25 24.20.99.218:4696 CLOSE_WAIT
TCP 192.168.10.18:25 24.20.195.153:60805 TIME_WAIT
TCP 192.168.10.18:25 24.20.195.153:60813 CLOSE_WAIT
TCP 192.168.10.18:25 24.42.162.219:1233 TIME_WAIT
TCP 192.168.10.18:25 24.42.162.219:1259 TIME_WAIT
TCP 192.168.10.18:25 24.83.218.92:4001 CLOSING
TCP 192.168.10.18:25 24.107.145.174:1862 TIME_WAIT
TCP 192.168.10.18:25 24.112.132.39:3494 TIME_WAIT
TCP 192.168.10.18:25 24.112.132.39:3502 TIME_WAIT
TCP 192.168.10.18:25 24.112.132.39:3503 TIME_WAIT
TCP 192.168.10.18:25 24.118.164.74:21073 CLOSING
TCP 192.168.10.18:25 24.125.111.48:1836 TIME_WAIT
TCP 192.168.10.18:25 24.132.206.138:3865 TIME_WAIT
TCP 192.168.10.18:25 24.166.104.95:2532 TIME_WAIT
TCP 192.168.10.18:25 24.174.97.193:4008 TIME_WAIT
TCP 192.168.10.18:25 24.199.192.89:4467 TIME_WAIT
TCP 192.168.10.18:25 24.233.59.242:2941 TIME_WAIT
TCP 192.168.10.18:25 61.34.206.185:1507 TIME_WAIT
TCP 192.168.10.18:25 61.36.37.34:4755 TIME_WAIT
TCP 192.168.10.18:25 61.36.37.34:4882 TIME_WAIT
TCP 192.168.10.18:25 61.36.37.34:4926 TIME_WAIT
TCP 192.168.10.18:25 61.36.37.34:4928 TIME_WAIT
TCP 192.168.10.18:25 61.49.150.12:64679 CLOSING
TCP 192.168.10.18:25 61.53.244.106:1542 TIME_WAIT
TCP 192.168.10.18:25 61.53.244.106:1736 TIME_WAIT
TCP 192.168.10.18:25 61.53.244.106:1737 TIME_WAIT
TCP 192.168.10.18:25 61.101.37.59:1252 TIME_WAIT
TCP 192.168.10.18:25 61.101.37.59:1260 TIME_WAIT
TCP 192.168.10.18:25 61.101.37.59:1261 TIME_WAIT
TCP 192.168.10.18:25 61.111.58.11:4691 CLOSING
TCP 192.168.10.18:25 61.129.70.84:3459 TIME_WAIT
TCP 192.168.10.18:25 61.129.70.84:3461 TIME_WAIT
TCP 192.168.10.18:25 61.129.70.84:3468 TIME_WAIT
TCP 192.168.10.18:25 61.131.59.190:1329 CLOSING
TCP 192.168.10.18:25 61.133.63.113:2333 TIME_WAIT
TCP 192.168.10.18:25 61.134.112.124:2480 TIME_WAIT
TCP 192.168.10.18:25 61.134.112.124:2488 TIME_WAIT
TCP 192.168.10.18:25 61.144.50.85:2316 CLOSING
TCP 192.168.10.18:25 61.144.107.227:2065 CLOSING
TCP 192.168.10.18:25 61.144.182.60:39287 TIME_WAIT
TCP 192.168.10.18:25 61.155.235.194:1696 LAST_ACK
TCP 192.168.10.18:25 61.171.117.118:3832 CLOSING
TCP 192.168.10.18:25 61.172.148.187:3532 TIME_WAIT
TCP 192.168.10.18:25 61.172.148.187:3590 TIME_WAIT
TCP 192.168.10.18:25 61.172.148.187:3604 TIME_WAIT
TCP 192.168.10.18:25 61.172.148.187:3608 CLOSE_WAIT
TCP 192.168.10.18:25 61.177.42.226:1212 CLOSING
TCP 192.168.10.18:25 61.177.42.226:4403 CLOSING
TCP 192.168.10.18:25 61.179.111.146:7738 TIME_WAIT
TCP 192.168.10.18:25 61.179.111.146:12752 TIME_WAIT
TCP 192.168.10.18:25 61.179.111.146:16755 TIME_WAIT
TCP 192.168.10.18:25 61.179.111.146:56967 CLOSE_WAIT
TCP 192.168.10.18:25 61.179.111.146:60220 TIME_WAIT
TCP 192.168.10.18:25 61.187.64.195:28610 CLOSING
TCP 192.168.10.18:25 61.187.64.195:46557 CLOSING
TCP 192.168.10.18:25 61.189.203.10:21028 CLOSING
TCP 192.168.10.18:25 61.189.203.10:21035 CLOSING
TCP 192.168.10.18:25 61.189.203.10:21037 CLOSING
TCP 192.168.10.18:25 62.16.0.172:33004 TIME_WAIT
TCP 192.168.10.18:25 62.16.154.110:2767 TIME_WAIT
TCP 192.168.10.18:25 62.43.34.163:4210 TIME_WAIT
TCP 192.168.10.18:25 62.195.31.92:2896 TIME_WAIT
TCP 192.168.10.18:25 62.197.161.190:2726 CLOSE_WAIT
TCP 192.168.10.18:25 62.248.36.67:2156 TIME_WAIT
TCP 192.168.10.18:25 62.248.36.67:2161 TIME_WAIT
TCP 192.168.10.18:25 62.248.36.67:2164 TIME_WAIT
TCP 192.168.10.18:25 63.228.226.145:25565 TIME_WAIT
TCP 192.168.10.18:25 64.7.202.66:48622 TIME_WAIT
TCP 192.168.10.18:25 64.86.141.176:13254 TIME_WAIT
TCP 192.168.10.18:25 64.86.141.176:13493 TIME_WAIT
TCP 192.168.10.18:25 64.86.141.176:13495 TIME_WAIT
TCP 192.168.10.18:25 65.48.90.155:3589 CLOSING
TCP 192.168.10.18:25 65.96.82.132:2965 TIME_WAIT
TCP 192.168.10.18:25 65.96.82.132:3005 TIME_WAIT
TCP 192.168.10.18:25 66.24.236.10:44677 TIME_WAIT
TCP 192.168.10.18:25 66.24.236.10:44679 TIME_WAIT
TCP 192.168.10.18:25 66.55.169.119:46114 TIME_WAIT
TCP 192.168.10.18:25 66.76.145.135:64579 CLOSING
TCP 192.168.10.18:25 66.103.243.198:49900 ESTABLISHED
TCP 192.168.10.18:25 66.131.224.28:2815 CLOSE_WAIT
TCP 192.168.10.18:25 66.214.208.124:1726 ESTABLISHED
TCP 192.168.10.18:25 66.235.16.143:20543 FIN_WAIT_1
TCP 192.168.10.18:25 66.235.59.8:2076 FIN_WAIT_1
TCP 192.168.10.18:25 66.235.59.8:2183 FIN_WAIT_1
TCP 192.168.10.18:25 66.235.59.8:2269 FIN_WAIT_1
TCP 192.168.10.18:25 67.8.58.224:2629 TIME_WAIT
TCP 192.168.10.18:25 67.164.116.159:4931 TIME_WAIT
TCP 192.168.10.18:25 67.166.57.43:3126 TIME_WAIT
TCP 192.168.10.18:25 67.166.57.43:3137 TIME_WAIT
TCP 192.168.10.18:25 67.166.57.43:3139 TIME_WAIT
TCP 192.168.10.18:25 67.167.0.245:3906 TIME_WAIT
TCP 192.168.10.18:25 68.54.94.87:3030 TIME_WAIT
TCP 192.168.10.18:25 68.80.102.246:3031 TIME_WAIT
TCP 192.168.10.18:25 68.82.77.83:2896 TIME_WAIT
TCP 192.168.10.18:25 68.82.77.83:2898 TIME_WAIT
TCP 192.168.10.18:25 68.89.137.212:1449 TIME_WAIT
TCP 192.168.10.18:25 68.103.47.246:4556 TIME_WAIT
TCP 192.168.10.18:25 68.103.47.246:4558 TIME_WAIT
TCP 192.168.10.18:25 68.103.47.246:4581 TIME_WAIT
TCP 192.168.10.18:25 68.103.85.36:4891 TIME_WAIT
TCP 192.168.10.18:25 68.118.251.132:2967 ESTABLISHED
TCP 192.168.10.18:25 68.188.199.110:4040 TIME_WAIT
TCP 192.168.10.18:25 68.233.24.221:4550 TIME_WAIT
TCP 192.168.10.18:25 69.1.226.136:58975 TIME_WAIT
TCP 192.168.10.18:25 69.1.226.136:58987 TIME_WAIT
TCP 192.168.10.18:25 69.1.226.136:59020 TIME_WAIT
TCP 192.168.10.18:25 69.1.226.136:59026 TIME_WAIT
TCP 192.168.10.18:25 69.47.65.55:3697 CLOSE_WAIT
TCP 192.168.10.18:25 69.138.28.215:19806 CLOSE_WAIT
TCP 192.168.10.18:25 69.138.28.215:19831 TIME_WAIT
TCP 192.168.10.18:25 69.138.28.215:19833 TIME_WAIT
TCP 192.168.10.18:25 69.144.29.94:4027 TIME_WAIT
TCP 192.168.10.18:25 69.148.51.238:3065 TIME_WAIT
TCP 192.168.10.18:25 80.81.43.243:4536 TIME_WAIT
TCP 192.168.10.18:25 80.81.43.243:4545 ESTABLISHED
TCP 192.168.10.18:25 80.117.252.46:38776 TIME_WAIT
TCP 192.168.10.18:25 80.221.107.226:3358 TIME_WAIT
TCP 192.168.10.18:25 80.230.92.118:35044 TIME_WAIT
TCP 192.168.10.18:25 81.7.73.155:57026 LAST_ACK
TCP 192.168.10.18:25 81.39.217.220:15583 TIME_WAIT
TCP 192.168.10.18:25 81.39.217.220:15591 TIME_WAIT
TCP 192.168.10.18:25 81.39.217.220:15601 TIME_WAIT
TCP 192.168.10.18:25 81.56.108.45:2196 TIME_WAIT
TCP 192.168.10.18:25 81.62.180.20:2550 TIME_WAIT
TCP 192.168.10.18:25 81.166.42.108:1582 TIME_WAIT
TCP 192.168.10.18:25 81.166.42.108:1585 TIME_WAIT
TCP 192.168.10.18:25 81.215.107.84:1213 CLOSING
TCP 192.168.10.18:25 82.212.36.13:3819 TIME_WAIT
TCP 192.168.10.18:25 146.82.220.227:6858 TIME_WAIT
TCP 192.168.10.18:25 146.82.220.229:7605 TIME_WAIT
TCP 192.168.10.18:25 165.21.29.116:1259 CLOSING
TCP 192.168.10.18:25 168.160.228.136:1936 LAST_ACK
TCP 192.168.10.18:25 194.41.105.104:4442 LAST_ACK
TCP 192.168.10.18:25 194.108.48.34:4826 TIME_WAIT
TCP 192.168.10.18:25 194.108.48.34:4827 TIME_WAIT
TCP 192.168.10.18:25 202.99.170.37:45852 TIME_WAIT
TCP 192.168.10.18:25 202.102.138.24:54742 TIME_WAIT
TCP 192.168.10.18:25 202.102.138.24:56064 TIME_WAIT
TCP 192.168.10.18:25 202.108.45.80:42497 LAST_ACK
TCP 192.168.10.18:25 202.108.45.82:37244 LAST_ACK
TCP 192.168.10.18:25 202.108.45.82:50867 CLOSING
TCP 192.168.10.18:25 202.108.252.135:60233 LAST_ACK
TCP 192.168.10.18:25 202.109.202.2:20347 FIN_WAIT_1
TCP 192.168.10.18:25 203.45.232.59:4130 CLOSING
TCP 192.168.10.18:25 203.131.162.24:2147 TIME_WAIT
TCP 192.168.10.18:25 203.145.183.157:3443 CLOSING
TCP 192.168.10.18:25 203.193.138.2:4929 TIME_WAIT
TCP 192.168.10.18:25 206.230.0.61:4235 TIME_WAIT
TCP 192.168.10.18:25 207.193.229.60:3140 TIME_WAIT
TCP 192.168.10.18:25 207.193.229.60:3147 TIME_WAIT
TCP 192.168.10.18:25 207.217.120.148:52937 ESTABLISHED
TCP 192.168.10.18:25 207.248.43.188:4119 TIME_WAIT
TCP 192.168.10.18:25 209.89.12.6:65291 TIME_WAIT
TCP 192.168.10.18:25 209.225.8.184:40005 TIME_WAIT
TCP 192.168.10.18:25 210.22.199.126:43641 TIME_WAIT
TCP 192.168.10.18:25 210.83.9.198:2489 TIME_WAIT
TCP 192.168.10.18:25 210.83.9.198:2510 TIME_WAIT
TCP 192.168.10.18:25 210.83.9.198:2514 TIME_WAIT
TCP 192.168.10.18:25 210.83.9.198:2642 TIME_WAIT
TCP 192.168.10.18:25 210.83.9.198:2653 TIME_WAIT
TCP 192.168.10.18:25 210.190.142.180:63904 TIME_WAIT
TCP 192.168.10.18:25 210.217.94.234:3359 TIME_WAIT
TCP 192.168.10.18:25 210.217.94.234:3361 CLOSE_WAIT
TCP 192.168.10.18:25 210.222.84.116:1887 TIME_WAIT
TCP 192.168.10.18:25 210.222.84.116:1933 TIME_WAIT
TCP 192.168.10.18:25 210.222.84.116:1935 TIME_WAIT
TCP 192.168.10.18:25 211.33.43.150:2484 CLOSING
TCP 192.168.10.18:25 211.54.197.83:3265 TIME_WAIT
TCP 192.168.10.18:25 211.63.3.1:62890 ESTABLISHED
TCP 192.168.10.18:25 211.99.42.206:46243 LAST_ACK
TCP 192.168.10.18:25 211.113.244.202:4393 CLOSE_WAIT
TCP 192.168.10.18:25 211.144.168.60:11531 TIME_WAIT
TCP 192.168.10.18:25 211.144.171.61:5324 CLOSING
TCP 192.168.10.18:25 211.147.255.135:37886 CLOSING
TCP 192.168.10.18:25 211.147.255.135:40535 CLOSING
TCP 192.168.10.18:25 211.147.255.135:41580 TIME_WAIT
TCP 192.168.10.18:25 211.158.92.126:20973 TIME_WAIT
TCP 192.168.10.18:25 211.194.117.32:2333 TIME_WAIT
TCP 192.168.10.18:25 211.194.145.222:3483 TIME_WAIT
TCP 192.168.10.18:25 211.194.145.222:3485 TIME_WAIT
TCP 192.168.10.18:25 211.202.173.184:3244 TIME_WAIT
TCP 192.168.10.18:25 211.202.173.184:3254 TIME_WAIT
TCP 192.168.10.18:25 211.202.173.184:3255 TIME_WAIT
TCP 192.168.10.18:25 211.214.91.8:1542 TIME_WAIT
TCP 192.168.10.18:25 211.215.24.126:3420 TIME_WAIT
TCP 192.168.10.18:25 211.216.136.94:24530 TIME_WAIT
TCP 192.168.10.18:25 211.216.136.94:24542 TIME_WAIT
TCP 192.168.10.18:25 211.239.91.74:1510 TIME_WAIT
TCP 192.168.10.18:25 213.44.244.149:4487 TIME_WAIT
TCP 192.168.10.18:25 213.44.244.149:4505 CLOSE_WAIT
TCP 192.168.10.18:25 213.44.244.149:4525 TIME_WAIT
TCP 192.168.10.18:25 213.120.97.109:1768 TIME_WAIT
TCP 192.168.10.18:25 213.120.97.109:1774 TIME_WAIT
TCP 192.168.10.18:25 213.199.192.98:2089 TIME_WAIT
TCP 192.168.10.18:25 213.199.192.98:2094 TIME_WAIT
TCP 192.168.10.18:25 213.245.76.91:1510 CLOSING
TCP 192.168.10.18:25 217.225.67.216:3908 TIME_WAIT
TCP 192.168.10.18:25 217.225.67.216:3946 TIME_WAIT
TCP 192.168.10.18:25 218.4.199.42:1500 TIME_WAIT
TCP 192.168.10.18:25 218.4.199.42:1629 TIME_WAIT
TCP 192.168.10.18:25 218.5.67.206:2397 CLOSING
TCP 192.168.10.18:25 218.5.109.19:4704 CLOSING
TCP 192.168.10.18:25 218.6.38.51:2620 CLOSING
TCP 192.168.10.18:25 218.6.38.51:2850 CLOSING
TCP 192.168.10.18:25 218.6.140.8:2690 CLOSING
TCP 192.168.10.18:25 218.6.140.8:2934 TIME_WAIT
TCP 192.168.10.18:25 218.7.35.101:1025 TIME_WAIT
TCP 192.168.10.18:25 218.7.35.101:1026 CLOSING
TCP 192.168.10.18:25 218.7.35.101:1027 TIME_WAIT
TCP 192.168.10.18:25 218.9.186.84:4739 CLOSING
TCP 192.168.10.18:25 218.11.89.91:21934 CLOSING
TCP 192.168.10.18:25 218.11.89.91:38902 CLOSING
TCP 192.168.10.18:25 218.11.89.192:2617 CLOSING
TCP 192.168.10.18:25 218.11.245.132:3121 CLOSING
TCP 192.168.10.18:25 218.11.245.132:3239 CLOSING
TCP 192.168.10.18:25 218.11.245.132:4364 CLOSING
TCP 192.168.10.18:25 218.11.245.132:4669 CLOSING
TCP 192.168.10.18:25 218.11.245.132:4871 CLOSING
TCP 192.168.10.18:25 218.15.245.218:63695 TIME_WAIT
TCP 192.168.10.18:25 218.15.245.218:65003 CLOSING
TCP 192.168.10.18:25 218.15.245.218:65047 TIME_WAIT
TCP 192.168.10.18:25 218.16.76.238:3328 LAST_ACK
TCP 192.168.10.18:25 218.16.131.118:64012 CLOSING
TCP 192.168.10.18:25 218.16.232.206:4932 CLOSING
TCP 192.168.10.18:25 218.16.232.206:4978 CLOSING
TCP 192.168.10.18:25 218.17.73.181:1819 CLOSING
TCP 192.168.10.18:25 218.17.83.174:63393 CLOSING
TCP 192.168.10.18:25 218.17.243.205:12935 CLOSING
TCP 192.168.10.18:25 218.17.243.205:25712 CLOSE_WAIT
TCP 192.168.10.18:25 218.17.243.205:36125 CLOSING
TCP 192.168.10.18:25 218.17.243.205:40804 CLOSING
TCP 192.168.10.18:25 218.17.243.205:55845 CLOSING
TCP 192.168.10.18:25 218.17.243.205:61226 CLOSING
TCP 192.168.10.18:25 218.18.86.10:46528 CLOSING
TCP 192.168.10.18:25 218.18.222.184:1451 CLOSING
TCP 192.168.10.18:25 218.19.48.72:50670 CLOSING
TCP 192.168.10.18:25 218.20.115.36:63787 LAST_ACK
TCP 192.168.10.18:25 218.22.1.146:2130 CLOSING
TCP 192.168.10.18:25 218.26.222.48:2316 TIME_WAIT
TCP 192.168.10.18:25 218.26.222.48:2335 TIME_WAIT
TCP 192.168.10.18:25 218.26.222.48:2336 TIME_WAIT
TCP 192.168.10.18:25 218.27.205.7:1093 TIME_WAIT
TCP 192.168.10.18:25 218.27.205.7:2709 CLOSING
TCP 192.168.10.18:25 218.53.255.118:3570 TIME_WAIT
TCP 192.168.10.18:25 218.53.255.118:3578 TIME_WAIT
TCP 192.168.10.18:25 218.53.255.118:3609 TIME_WAIT
TCP 192.168.10.18:25 218.53.255.118:3636 TIME_WAIT
TCP 192.168.10.18:25 218.53.255.118:3637 TIME_WAIT
TCP 192.168.10.18:25 218.56.20.2:4160 TIME_WAIT
TCP 192.168.10.18:25 218.56.20.2:17667 TIME_WAIT
TCP 192.168.10.18:25 218.56.20.2:53744 TIME_WAIT
TCP 192.168.10.18:25 218.58.239.143:2248 TIME_WAIT
TCP 192.168.10.18:25 218.58.239.143:2295 TIME_WAIT
TCP 192.168.10.18:25 218.58.239.143:2304 TIME_WAIT
TCP 192.168.10.18:25 218.59.99.213:21073 CLOSE_WAIT
TCP 192.168.10.18:25 218.59.110.216:44005 TIME_WAIT
TCP 192.168.10.18:25 218.59.110.216:44031 TIME_WAIT
TCP 192.168.10.18:25 218.62.81.254:15203 CLOSING
TCP 192.168.10.18:25 218.62.81.254:17655 CLOSING
TCP 192.168.10.18:25 218.62.81.254:22804 TIME_WAIT
TCP 192.168.10.18:25 218.66.83.72:64967 CLOSING
TCP 192.168.10.18:25 218.68.235.32:2524 LAST_ACK
TCP 192.168.10.18:25 218.68.235.32:4052 CLOSING
TCP 192.168.10.18:25 218.69.106.158:2436 CLOSING
TCP 192.168.10.18:25 218.69.212.79:41869 CLOSING
TCP 192.168.10.18:25 218.70.58.69:1717 CLOSING
TCP 192.168.10.18:25 218.75.146.145:3873 CLOSING
TCP 192.168.10.18:25 218.75.235.26:3267 CLOSING
TCP 192.168.10.18:25 218.76.176.98:1027 CLOSING
TCP 192.168.10.18:25 218.77.90.156:45578 CLOSING
TCP 192.168.10.18:25 218.77.90.156:45761 SYN_RECEIVED
TCP 192.168.10.18:25 218.85.133.90:3615 CLOSING
TCP 192.168.10.18:25 218.88.65.24:1044 CLOSING
TCP 192.168.10.18:25 218.88.65.24:4968 CLOSING
TCP 192.168.10.18:25 218.89.146.127:14958 CLOSING
TCP 192.168.10.18:25 218.90.222.46:1746 CLOSE_WAIT
TCP 192.168.10.18:25 218.104.47.183:17575 TIME_WAIT
TCP 192.168.10.18:25 218.108.35.86:1698 LAST_ACK
TCP 192.168.10.18:25 218.108.252.54:20889 TIME_WAIT
TCP 192.168.10.18:25 218.109.194.235:3374 LAST_ACK
TCP 192.168.10.18:25 218.144.56.162:3782 TIME_WAIT
TCP 192.168.10.18:25 218.144.56.162:3820 CLOSE_WAIT
TCP 192.168.10.18:25 218.144.56.162:3859 TIME_WAIT
TCP 192.168.10.18:25 218.162.168.171:64806 TIME_WAIT
TCP 192.168.10.18:25 218.162.168.171:65297 TIME_WAIT
TCP 192.168.10.18:25 218.163.27.33:3450 TIME_WAIT
TCP 192.168.10.18:25 218.163.27.33:3473 TIME_WAIT
TCP 192.168.10.18:25 218.163.27.33:3474 TIME_WAIT
TCP 192.168.10.18:25 218.238.118.171:3094 TIME_WAIT
TCP 192.168.10.18:25 218.244.59.202:4669 CLOSING
TCP 192.168.10.18:25 218.244.59.203:1769 TIME_WAIT
TCP 192.168.10.18:25 218.244.59.203:1783 TIME_WAIT
TCP 192.168.10.18:25 218.244.59.203:1785 CLOSING
TCP 192.168.10.18:25 219.130.9.219:64407 CLOSING
TCP 192.168.10.18:25 219.130.46.134:33194 CLOSING
TCP 192.168.10.18:25 219.133.19.118:40266 CLOSING
TCP 192.168.10.18:25 219.133.19.118:40657 CLOSING
TCP 192.168.10.18:25 219.133.84.50:2009 CLOSING
TCP 192.168.10.18:25 219.137.174.164:41375 CLOSING
TCP 192.168.10.18:25 219.138.96.226:1356 CLOSING
TCP 192.168.10.18:25 219.138.96.226:1385 CLOSING
TCP 192.168.10.18:25 219.138.96.226:2977 CLOSE_WAIT
TCP 192.168.10.18:25 219.138.96.226:2985 TIME_WAIT
TCP 192.168.10.18:25 219.139.32.35:2979 CLOSING
TCP 192.168.10.18:25 219.139.32.37:1633 CLOSING
TCP 192.168.10.18:25 219.144.194.146:1166 CLOSE_WAIT
TCP 192.168.10.18:25 219.148.175.103:1613 TIME_WAIT
TCP 192.168.10.18:25 219.149.102.34:41118 TIME_WAIT
TCP 192.168.10.18:25 219.149.102.34:41257 TIME_WAIT
TCP 192.168.10.18:25 219.149.102.34:41264 CLOSE_WAIT
TCP 192.168.10.18:25 219.159.161.25:12537 CLOSING
TCP 192.168.10.18:25 219.159.209.200:50117 CLOSING
TCP 192.168.10.18:25 219.159.215.23:28532 CLOSING
TCP 192.168.10.18:25 219.237.111.45:2609 FIN_WAIT_1
TCP 192.168.10.18:25 219.237.111.45:2859 TIME_WAIT
TCP 192.168.10.18:25 219.237.111.45:2957 CLOSING
TCP 192.168.10.18:25 219.237.111.45:3041 TIME_WAIT
TCP 192.168.10.18:25 219.249.135.89:2479 TIME_WAIT
TCP 192.168.10.18:25 220.71.133.119:32903 TIME_WAIT
TCP 192.168.10.18:25 220.77.86.222:1316 TIME_WAIT
TCP 192.168.10.18:25 220.87.181.191:1556 TIME_WAIT
TCP 192.168.10.18:25 220.92.20.14:2592 TIME_WAIT
TCP 192.168.10.18:25 220.116.81.78:3000 TIME_WAIT
TCP 192.168.10.18:25 220.116.81.78:3006 TIME_WAIT
TCP 192.168.10.18:25 220.116.81.78:3007 TIME_WAIT
TCP 192.168.10.18:25 220.116.244.225:1993 TIME_WAIT
TCP 192.168.10.18:25 220.161.42.200:63383 CLOSING
TCP 192.168.10.18:25 220.163.26.89:64133 CLOSING
TCP 192.168.10.18:25 220.163.26.89:64589 CLOSING
TCP 192.168.10.18:25 220.168.142.244:10728 CLOSING
TCP 192.168.10.18:25 220.168.142.244:10732 TIME_WAIT
TCP 192.168.10.18:25 220.168.143.33:2113 CLOSING
TCP 192.168.10.18:25 220.244.21.94:3244 TIME_WAIT
TCP 192.168.10.18:25 220.244.21.94:3250 TIME_WAIT
TCP 192.168.10.18:25 221.127.161.148:4461 TIME_WAIT
TCP 192.168.10.18:25 221.168.197.119:1232 TIME_WAIT
TCP 192.168.10.18:25 221.196.90.202:36934 CLOSING
TCP 192.168.10.18:25 221.196.147.47:2215 TIME_WAIT
TCP 192.168.10.18:25 221.196.147.47:2277 TIME_WAIT
TCP 192.168.10.18:25 221.196.147.47:2280 TIME_WAIT
TCP 192.168.10.18:25 221.205.196.25:4716 LAST_ACK
TCP 192.168.10.18:25 221.205.208.22:21126 TIME_WAIT
TCP 192.168.10.18:25 221.205.208.22:21128 TIME_WAIT
I'm not trying to offend any nation. I saw that the 218-221 seem to be asian IPs but I also have a problem with the 61-68 and I was told that most of those are in Georgia. I didn't think that it was spam because the problem is the ports dont close. Thank you all for any advise.
I'd have to agree with Tim, as the traffic is just port 25 (ie SMTP) traffic you need to implement some sort of filtering. Use one of the DNS blacklists and/or put in a mail proxy to filter it out.
Personally I prefer Mail Marshal, but it doesn't really matter what you use as long as you use something...
Out of interest, you can go to www.openrbl.org and put in any of those IP addresses to see what it comes up with.
No WW3 guys - being an Australian living in Asia am not happy with the only developing continent in the world being barred through ignorance! It rocks here - the reason why there is so much hacking is because everyone under 35 has really fast computers and 6-10meg DSL connections - and have had them for years...
The revolution will not be televised.
To get back to the point - now I have seen your netstat output and have had a quiet chuckle at MS networking not being able to *just let go* it seems that you must be pumping a fair amount of mail? If not I can think of a few trojans and certainly one stress testing application that will give you that kind of netstat output - without seeing your smtp log I can't help you any more.
Would like to though - can you grep your log file for say 219.237.111.45? And we'll see...
Had some time on my hands (big hangover - don't feel like working) and checked the source of this one dude:
inetnum: 219.236.0.0 - 219.237.255.255
netname: BGCTVNET
descr: BEIJING GEHUA CATV NETWORK CO., LTD.
descr: No.35, N.HuaTuan Rd., Haidian District,
descr: Beijing, P.R.C
country: CN
admin-c: YZ55-AP
tech-c: YZ55-AP
changed: hm-change@apnic.net 20020905
remarks: CNNIC member
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CN-CNNIC-BCTVN
status: ALLOCATED PORTABLE
source: APNIC
person: Yang Zhang
nic-hdl: YZ55-AP
e-mail: pcweeklu@sina.com.cn
address: NO.A2, ZAO JUN MIAO HAIDIAN DISTRICT, BEIJING
phone: +86-10-62261655-274
fax-no: +86-10-62278679
country: CN
changed: ipas@cnnic.net.cn 20030506
mnt-by: MAINT-CNNIC-AP
source: APNIC
If you aren't expecting email from anyone who subscribes to Mr Yang's Internet AP, in northern mainland China, the chances are it is spam, pen. attempt or a mass-mailer virus. The fact that it seems you have SMTP connections to so many different IP ranges suggests to me that maybe your mail relay/server is looking a bit tasty and potentially people are trying to relay through it. You are almost definately dropping the attempts but the server is still accepting the connections.
For funny times you could call Mr. Yang and ask him. If you get no good response say HO DAI WOK! really loud into the phone. Means the wok is on fire or something irrelevant but will make you (& him) laugh.
Unfortunately the PIX is nothing more than a fancy packet-filter so I don't know if you can configure it to drop silly business before sending it onto your Exchange server.
There is not much you can do to stop this - if you block 25 connections from the range suggested then you will drop mail from someone you want to hear from at some stage. Application layer firewalls (eg Symantec) can look at the destination domain and drop the connection before it hits your Exchange server. I heard somewhere that Cisco have some app-layer functionality for SMTP but it will take someone who knows to verify.
Another option is to set up a smarthost or relay - can just be a PC (hardened of course!) that checks the smtp header and drops it or sends it on to Exchange accordingly - I am sure that you do not want your Exchange server performing poorly because it is working out what is good or bad TCP 25 traffic. Make this new box your MX and everything should be OK.
Went on for a long time but was kinda sorry for flipping my lid before... Hope this helps you out...
Symantec Mail Security do a good plug in for Exchange, as do most AV vendors. Probably prudent to stick with whatever AV vendor you use inside to qualify for multi-product discounts ?
Useful site for Exchange related SPAM problems:
http://antispam.msexchange
You can also enable blacklisting support in Exchange 2003:
http://www.msexchange.org/
...this will stop these sites from being able to send you mail. You will never get around the problem of multiple hosts trying to bombard you with port 25 requests, but this isn't going to take up too much traffic. The problem starts when multiple hosts are allowed to send you mail - this is when traffic starts getting chewed up as mail content size increases.
It would be nice to block these at the firewall... PIX does offer mailguard, but this is more to check SMTP sanity, rather than actual mails:
http://www.cisco.com/en/US
There are gateway appliances that can help block SPAM too - things like Symantec Gateway Security, Barracuda etc ?
Depends how much of a problem it is for you, and how much the business is willing to pay to fix it ! ;)
Without being product specific - any relay will do the job. McAfee, Symantec and Trend (among others) all make great relays which do AV as well - if you are prepared to spend some money then these are great. They call them names like VirusWall, Webshield etc... Just throw them on a pc which does nothing else and let them deal with it.
If you do not want to spend any money then a fully patched Linux box with a solid sendmail config file will do the job - you can find many good examples on the web.
The better products have some kind of outbreak control - great when ther is a mass-mailer about. Hmm - still getting a few from that mydoom/novarg.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
Split: tim_holman & td_miles & fergo-o
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Pentrix2
EE Cleanup Volunteer
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: ManMaddyPosted on 2004-02-11 at 13:13:38ID: 10336267
That is a HUGE range to be blocking. The people behind your firewall may have problems with web-browsing if you block that whole range. If I were you, I'd drop all packets on the port ranges that are being attached unless they are port 80 or something else that you vitally need.
If you still want use the IP range use the "shun" command
shun _ip [dst_ip sport dport [protocol]]
_ip: attackers ip
dst_ip: the ip which is being attacked
dport: port which is being attacked
[protocal]: TCP or whatever they are using
Good Luck!