Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

am i under attack?

Posted on 2008-10-27
6
Medium Priority
?
5,055 Views
Last Modified: 2013-11-16
A coworker feels that we are being targetted by port scans, ip flooding, and ip spoofing.  Does the attached information from the log file support that view?

Time      Priority      Category      Message      Source      Destination      Notes      Rule
10:08:59 AM      Notice      Network Access      UDP packet dropped      202.57.149.114, 1458, WAN      239.255.255.250, 137      UDP NetBios NS UDP      
10:28:49 AM      Notice      Network Access      UDP packet dropped      87.203.219.210, 17943, WAN      202.57.149.114, 57850, WAN      UDP Port: 57850      
37:30.3      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 34580, OPT      TCP scanned port list, 34576, 34573, 34575, 34577, 34579      
10:40:53 AM      Notice      Network Access      TCP connection dropped      216.118.117.201, 3773, WAN      202.57.149.114, 16889, WAN      TCP Port: 16889      
10:43:53 AM      Notice      Network Access      TCP connection dropped      202.57.1.138, 3597, WAN      202.57.149.114, 135, WAN      TCP DCE EndPoint      
10:46:34 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
10:50:04 AM      Notice      Network Access      UDP packet dropped      60.222.224.131, 35741, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
00:05.7      Alert      Intrusion Prevention      Possible port scan dropped      203.149.62.175, 80, WAN      202.57.149.114, 40204, WAN      TCP scanned port list, 40176, 40176, 40176, 40176, 40176      
11:41:02 AM      Notice      Network Access      UDP packet dropped      202.155.201.226, 35687, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:41:42 AM      Notice      Network Access      Web management request allowed      151.33.210.78, 49992, WAN      202.57.149.114, 80, WAN      TCP HTTP      
11:44:00 AM      Notice      Network Access      UDP packet dropped      60.222.224.130, 46194, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
11:49:13 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:53:49 AM      Notice      Network Access      UDP packet dropped      60.222.224.135, 49385, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
57:46.4      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.18, 80, OPT, wf-in-f18.google.com      192.168.0.2, 46504, OPT      TCP scanned port list, 46497, 46502, 46498, 46500, 46501      
12:01:22 PM      Notice      Network Access      UDP packet dropped      60.222.224.134, 34100, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
32:01.7      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 53464, OPT      TCP scanned port list, 51696, 51699, 51700, 51701, 51703      
12:33:24 PM      Notice      Network Access      UDP packet dropped      220.104.6.73, 10851, WAN      202.57.149.114, 53524, WAN      UDP Port: 53524      
12:36:13 PM      Notice      Network Access      UDP packet dropped      61.23.235.214, 0, WAN      202.57.149.114      UDP Port:     0      
12:51:08 PM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
1:12:21 PM      Notice      Network Access      UDP packet dropped      60.222.224.136, 48509, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
1:19:02 PM      Notice      Network Access      Web management request allowed      74.208.148.159, 50052, WAN      202.57.149.114, 80, WAN      TCP HTTP      
1:21:46 PM      Notice      Network Access      UDP packet dropped      60.222.224.133, 59289, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      

0
Comment
Question by:captainrichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
ID: 22815128
Hello

Port scans are normal to happen all the time today if you are connected to internet. It happens all the time.

Make sure that you have not opened for any inbound traffic except for what is absolutely nessecarey.

Br Jimmy
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 22815199
If you note the addresses, many of these are from Google - bots, web crawlers, are all common place now and your log does not look pout of the ordinary. In addition, you will find, most likely (because I know we do), that many of your own users will visit Google and it will record the NATted address of your site and then later it reviews these to see what services you run as part of its own activities.

Keith
0
 

Author Comment

by:captainrichard
ID: 22820339
Is there any truth to this?

" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Here is one of the entries that he is referring to:
Possible port scan dropped      
Source:203.149.62.175, 80, WAN      
Destination:202.57.149.114, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22823124
Hi,

No one can stop attackers from attacking but the good thing is that your firewall which seems to be sonicwall is dropping any suspicious packets.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22824215
No, it is not necessarily an 'attack'. I have often put in a ping request to a totally random IP address - (God knows who owned it) but that would repeat your scenario. It is a fact of life that this is going to happen - your firewall is doing its job and alerting you to the fact, thats all.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836051
Thanks :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question