am i under attack?

Posted on 2008-10-27
Medium Priority
Last Modified: 2013-11-16
A coworker feels that we are being targetted by port scans, ip flooding, and ip spoofing.  Does the attached information from the log file support that view?

Time      Priority      Category      Message      Source      Destination      Notes      Rule
10:08:59 AM      Notice      Network Access      UDP packet dropped, 1458, WAN, 137      UDP NetBios NS UDP      
10:28:49 AM      Notice      Network Access      UDP packet dropped, 17943, WAN, 57850, WAN      UDP Port: 57850      
37:30.3      Alert      Intrusion Prevention      Possible port scan dropped, 80, OPT, wf-in-f83.google.com, 34580, OPT      TCP scanned port list, 34576, 34573, 34575, 34577, 34579      
10:40:53 AM      Notice      Network Access      TCP connection dropped, 3773, WAN, 16889, WAN      TCP Port: 16889      
10:43:53 AM      Notice      Network Access      TCP connection dropped, 3597, WAN, 135, WAN      TCP DCE EndPoint      
10:46:34 AM      Notice      Network Access      UDP packet dropped, 137, WAN, 137, WAN      UDP NetBios NS UDP      
10:50:04 AM      Notice      Network Access      UDP packet dropped, 35741, WAN, 1026, WAN      UDP Port:  1026      
00:05.7      Alert      Intrusion Prevention      Possible port scan dropped, 80, WAN, 40204, WAN      TCP scanned port list, 40176, 40176, 40176, 40176, 40176      
11:41:02 AM      Notice      Network Access      UDP packet dropped, 35687, WAN, 137, WAN      UDP NetBios NS UDP      
11:41:42 AM      Notice      Network Access      Web management request allowed, 49992, WAN, 80, WAN      TCP HTTP      
11:44:00 AM      Notice      Network Access      UDP packet dropped, 46194, WAN, 1026, WAN      UDP Port:  1026      
11:49:13 AM      Notice      Network Access      UDP packet dropped, 137, WAN, 137, WAN      UDP NetBios NS UDP      
11:53:49 AM      Notice      Network Access      UDP packet dropped, 49385, WAN, 1026, WAN      UDP Port:  1026      
57:46.4      Alert      Intrusion Prevention      Possible port scan dropped, 80, OPT, wf-in-f18.google.com, 46504, OPT      TCP scanned port list, 46497, 46502, 46498, 46500, 46501      
12:01:22 PM      Notice      Network Access      UDP packet dropped, 34100, WAN, 1026, WAN      UDP Port:  1026      
32:01.7      Alert      Intrusion Prevention      Possible port scan dropped, 80, OPT, wf-in-f83.google.com, 53464, OPT      TCP scanned port list, 51696, 51699, 51700, 51701, 51703      
12:33:24 PM      Notice      Network Access      UDP packet dropped, 10851, WAN, 53524, WAN      UDP Port: 53524      
12:36:13 PM      Notice      Network Access      UDP packet dropped, 0, WAN      UDP Port:     0      
12:51:08 PM      Notice      Network Access      UDP packet dropped, 137, WAN, 137, WAN      UDP NetBios NS UDP      
1:12:21 PM      Notice      Network Access      UDP packet dropped, 48509, WAN, 1026, WAN      UDP Port:  1026      
1:19:02 PM      Notice      Network Access      Web management request allowed, 50052, WAN, 80, WAN      TCP HTTP      
1:21:46 PM      Notice      Network Access      UDP packet dropped, 59289, WAN, 1026, WAN      UDP Port:  1026      

Question by:captainrichard

Expert Comment

ID: 22815128

Port scans are normal to happen all the time today if you are connected to internet. It happens all the time.

Make sure that you have not opened for any inbound traffic except for what is absolutely nessecarey.

Br Jimmy
LVL 51

Accepted Solution

Keith Alabaster earned 2000 total points
ID: 22815199
If you note the addresses, many of these are from Google - bots, web crawlers, are all common place now and your log does not look pout of the ordinary. In addition, you will find, most likely (because I know we do), that many of your own users will visit Google and it will record the NATted address of your site and then later it reviews these to see what services you run as part of its own activities.


Author Comment

ID: 22820339
Is there any truth to this?

" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Here is one of the entries that he is referring to:
Possible port scan dropped      
Source:, 80, WAN      
Destination:, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

LVL 32

Expert Comment

by:Kamran Arshad
ID: 22823124

No one can stop attackers from attacking but the good thing is that your firewall which seems to be sonicwall is dropping any suspicious packets.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22824215
No, it is not necessarily an 'attack'. I have often put in a ping request to a totally random IP address - (God knows who owned it) but that would repeat your scenario. It is a fact of life that this is going to happen - your firewall is doing its job and alerting you to the fact, thats all.

LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836051
Thanks :)

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question