Solved

am i under attack?

Posted on 2008-10-27
6
4,995 Views
Last Modified: 2013-11-16
A coworker feels that we are being targetted by port scans, ip flooding, and ip spoofing.  Does the attached information from the log file support that view?

Time      Priority      Category      Message      Source      Destination      Notes      Rule
10:08:59 AM      Notice      Network Access      UDP packet dropped      202.57.149.114, 1458, WAN      239.255.255.250, 137      UDP NetBios NS UDP      
10:28:49 AM      Notice      Network Access      UDP packet dropped      87.203.219.210, 17943, WAN      202.57.149.114, 57850, WAN      UDP Port: 57850      
37:30.3      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 34580, OPT      TCP scanned port list, 34576, 34573, 34575, 34577, 34579      
10:40:53 AM      Notice      Network Access      TCP connection dropped      216.118.117.201, 3773, WAN      202.57.149.114, 16889, WAN      TCP Port: 16889      
10:43:53 AM      Notice      Network Access      TCP connection dropped      202.57.1.138, 3597, WAN      202.57.149.114, 135, WAN      TCP DCE EndPoint      
10:46:34 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
10:50:04 AM      Notice      Network Access      UDP packet dropped      60.222.224.131, 35741, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
00:05.7      Alert      Intrusion Prevention      Possible port scan dropped      203.149.62.175, 80, WAN      202.57.149.114, 40204, WAN      TCP scanned port list, 40176, 40176, 40176, 40176, 40176      
11:41:02 AM      Notice      Network Access      UDP packet dropped      202.155.201.226, 35687, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:41:42 AM      Notice      Network Access      Web management request allowed      151.33.210.78, 49992, WAN      202.57.149.114, 80, WAN      TCP HTTP      
11:44:00 AM      Notice      Network Access      UDP packet dropped      60.222.224.130, 46194, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
11:49:13 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:53:49 AM      Notice      Network Access      UDP packet dropped      60.222.224.135, 49385, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
57:46.4      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.18, 80, OPT, wf-in-f18.google.com      192.168.0.2, 46504, OPT      TCP scanned port list, 46497, 46502, 46498, 46500, 46501      
12:01:22 PM      Notice      Network Access      UDP packet dropped      60.222.224.134, 34100, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
32:01.7      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 53464, OPT      TCP scanned port list, 51696, 51699, 51700, 51701, 51703      
12:33:24 PM      Notice      Network Access      UDP packet dropped      220.104.6.73, 10851, WAN      202.57.149.114, 53524, WAN      UDP Port: 53524      
12:36:13 PM      Notice      Network Access      UDP packet dropped      61.23.235.214, 0, WAN      202.57.149.114      UDP Port:     0      
12:51:08 PM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
1:12:21 PM      Notice      Network Access      UDP packet dropped      60.222.224.136, 48509, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
1:19:02 PM      Notice      Network Access      Web management request allowed      74.208.148.159, 50052, WAN      202.57.149.114, 80, WAN      TCP HTTP      
1:21:46 PM      Notice      Network Access      UDP packet dropped      60.222.224.133, 59289, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      

0
Comment
Question by:captainrichard
6 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
ID: 22815128
Hello

Port scans are normal to happen all the time today if you are connected to internet. It happens all the time.

Make sure that you have not opened for any inbound traffic except for what is absolutely nessecarey.

Br Jimmy
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22815199
If you note the addresses, many of these are from Google - bots, web crawlers, are all common place now and your log does not look pout of the ordinary. In addition, you will find, most likely (because I know we do), that many of your own users will visit Google and it will record the NATted address of your site and then later it reviews these to see what services you run as part of its own activities.

Keith
0
 

Author Comment

by:captainrichard
ID: 22820339
Is there any truth to this?

" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Here is one of the entries that he is referring to:
Possible port scan dropped      
Source:203.149.62.175, 80, WAN      
Destination:202.57.149.114, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22823124
Hi,

No one can stop attackers from attacking but the good thing is that your firewall which seems to be sonicwall is dropping any suspicious packets.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22824215
No, it is not necessarily an 'attack'. I have often put in a ping request to a totally random IP address - (God knows who owned it) but that would repeat your scenario. It is a fact of life that this is going to happen - your firewall is doing its job and alerting you to the fact, thats all.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836051
Thanks :)
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Fortigate 100D NTP Issue 4 142
SSH over http/https 8 151
slow vpn connection 9 87
SonicWall NSA 3600, Geo-IP Filter & blocking sites 2 69
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question