Solved

am i under attack?

Posted on 2008-10-27
6
4,951 Views
Last Modified: 2013-11-16
A coworker feels that we are being targetted by port scans, ip flooding, and ip spoofing.  Does the attached information from the log file support that view?

Time      Priority      Category      Message      Source      Destination      Notes      Rule
10:08:59 AM      Notice      Network Access      UDP packet dropped      202.57.149.114, 1458, WAN      239.255.255.250, 137      UDP NetBios NS UDP      
10:28:49 AM      Notice      Network Access      UDP packet dropped      87.203.219.210, 17943, WAN      202.57.149.114, 57850, WAN      UDP Port: 57850      
37:30.3      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 34580, OPT      TCP scanned port list, 34576, 34573, 34575, 34577, 34579      
10:40:53 AM      Notice      Network Access      TCP connection dropped      216.118.117.201, 3773, WAN      202.57.149.114, 16889, WAN      TCP Port: 16889      
10:43:53 AM      Notice      Network Access      TCP connection dropped      202.57.1.138, 3597, WAN      202.57.149.114, 135, WAN      TCP DCE EndPoint      
10:46:34 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
10:50:04 AM      Notice      Network Access      UDP packet dropped      60.222.224.131, 35741, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
00:05.7      Alert      Intrusion Prevention      Possible port scan dropped      203.149.62.175, 80, WAN      202.57.149.114, 40204, WAN      TCP scanned port list, 40176, 40176, 40176, 40176, 40176      
11:41:02 AM      Notice      Network Access      UDP packet dropped      202.155.201.226, 35687, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:41:42 AM      Notice      Network Access      Web management request allowed      151.33.210.78, 49992, WAN      202.57.149.114, 80, WAN      TCP HTTP      
11:44:00 AM      Notice      Network Access      UDP packet dropped      60.222.224.130, 46194, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
11:49:13 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:53:49 AM      Notice      Network Access      UDP packet dropped      60.222.224.135, 49385, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
57:46.4      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.18, 80, OPT, wf-in-f18.google.com      192.168.0.2, 46504, OPT      TCP scanned port list, 46497, 46502, 46498, 46500, 46501      
12:01:22 PM      Notice      Network Access      UDP packet dropped      60.222.224.134, 34100, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
32:01.7      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 53464, OPT      TCP scanned port list, 51696, 51699, 51700, 51701, 51703      
12:33:24 PM      Notice      Network Access      UDP packet dropped      220.104.6.73, 10851, WAN      202.57.149.114, 53524, WAN      UDP Port: 53524      
12:36:13 PM      Notice      Network Access      UDP packet dropped      61.23.235.214, 0, WAN      202.57.149.114      UDP Port:     0      
12:51:08 PM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
1:12:21 PM      Notice      Network Access      UDP packet dropped      60.222.224.136, 48509, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
1:19:02 PM      Notice      Network Access      Web management request allowed      74.208.148.159, 50052, WAN      202.57.149.114, 80, WAN      TCP HTTP      
1:21:46 PM      Notice      Network Access      UDP packet dropped      60.222.224.133, 59289, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      

0
Comment
Question by:captainrichard
6 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
ID: 22815128
Hello

Port scans are normal to happen all the time today if you are connected to internet. It happens all the time.

Make sure that you have not opened for any inbound traffic except for what is absolutely nessecarey.

Br Jimmy
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22815199
If you note the addresses, many of these are from Google - bots, web crawlers, are all common place now and your log does not look pout of the ordinary. In addition, you will find, most likely (because I know we do), that many of your own users will visit Google and it will record the NATted address of your site and then later it reviews these to see what services you run as part of its own activities.

Keith
0
 

Author Comment

by:captainrichard
ID: 22820339
Is there any truth to this?

" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Here is one of the entries that he is referring to:
Possible port scan dropped      
Source:203.149.62.175, 80, WAN      
Destination:202.57.149.114, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22823124
Hi,

No one can stop attackers from attacking but the good thing is that your firewall which seems to be sonicwall is dropping any suspicious packets.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22824215
No, it is not necessarily an 'attack'. I have often put in a ping request to a totally random IP address - (God knows who owned it) but that would repeat your scenario. It is a fact of life that this is going to happen - your firewall is doing its job and alerting you to the fact, thats all.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836051
Thanks :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall SSO 11 51
Cisco ASA 5506 5 54
ASA 5510 PAT question 1 26
Allowing a local account for incoming Rdp but not outgoing Rdp 15 104
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
I designed this idea while studying technology in the classroom.  This is a semester long project.  Students are asked to take photographs on a specific topic which they find meaningful, it can be a place or situation such as travel or homelessness.…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now