Solved

am i under attack?

Posted on 2008-10-27
6
4,978 Views
Last Modified: 2013-11-16
A coworker feels that we are being targetted by port scans, ip flooding, and ip spoofing.  Does the attached information from the log file support that view?

Time      Priority      Category      Message      Source      Destination      Notes      Rule
10:08:59 AM      Notice      Network Access      UDP packet dropped      202.57.149.114, 1458, WAN      239.255.255.250, 137      UDP NetBios NS UDP      
10:28:49 AM      Notice      Network Access      UDP packet dropped      87.203.219.210, 17943, WAN      202.57.149.114, 57850, WAN      UDP Port: 57850      
37:30.3      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 34580, OPT      TCP scanned port list, 34576, 34573, 34575, 34577, 34579      
10:40:53 AM      Notice      Network Access      TCP connection dropped      216.118.117.201, 3773, WAN      202.57.149.114, 16889, WAN      TCP Port: 16889      
10:43:53 AM      Notice      Network Access      TCP connection dropped      202.57.1.138, 3597, WAN      202.57.149.114, 135, WAN      TCP DCE EndPoint      
10:46:34 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
10:50:04 AM      Notice      Network Access      UDP packet dropped      60.222.224.131, 35741, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
00:05.7      Alert      Intrusion Prevention      Possible port scan dropped      203.149.62.175, 80, WAN      202.57.149.114, 40204, WAN      TCP scanned port list, 40176, 40176, 40176, 40176, 40176      
11:41:02 AM      Notice      Network Access      UDP packet dropped      202.155.201.226, 35687, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:41:42 AM      Notice      Network Access      Web management request allowed      151.33.210.78, 49992, WAN      202.57.149.114, 80, WAN      TCP HTTP      
11:44:00 AM      Notice      Network Access      UDP packet dropped      60.222.224.130, 46194, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
11:49:13 AM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
11:53:49 AM      Notice      Network Access      UDP packet dropped      60.222.224.135, 49385, WAN      202.57.149.115, 1026, WAN      UDP Port:  1026      
57:46.4      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.18, 80, OPT, wf-in-f18.google.com      192.168.0.2, 46504, OPT      TCP scanned port list, 46497, 46502, 46498, 46500, 46501      
12:01:22 PM      Notice      Network Access      UDP packet dropped      60.222.224.134, 34100, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
32:01.7      Alert      Intrusion Prevention      Possible port scan dropped      209.85.201.83, 80, OPT, wf-in-f83.google.com      192.168.0.2, 53464, OPT      TCP scanned port list, 51696, 51699, 51700, 51701, 51703      
12:33:24 PM      Notice      Network Access      UDP packet dropped      220.104.6.73, 10851, WAN      202.57.149.114, 53524, WAN      UDP Port: 53524      
12:36:13 PM      Notice      Network Access      UDP packet dropped      61.23.235.214, 0, WAN      202.57.149.114      UDP Port:     0      
12:51:08 PM      Notice      Network Access      UDP packet dropped      58.137.64.34, 137, WAN      202.57.149.114, 137, WAN      UDP NetBios NS UDP      
1:12:21 PM      Notice      Network Access      UDP packet dropped      60.222.224.136, 48509, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      
1:19:02 PM      Notice      Network Access      Web management request allowed      74.208.148.159, 50052, WAN      202.57.149.114, 80, WAN      TCP HTTP      
1:21:46 PM      Notice      Network Access      UDP packet dropped      60.222.224.133, 59289, WAN      202.57.149.114, 1026, WAN      UDP Port:  1026      

0
Comment
Question by:captainrichard
6 Comments
 
LVL 2

Expert Comment

by:JimmyLarsson
ID: 22815128
Hello

Port scans are normal to happen all the time today if you are connected to internet. It happens all the time.

Make sure that you have not opened for any inbound traffic except for what is absolutely nessecarey.

Br Jimmy
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22815199
If you note the addresses, many of these are from Google - bots, web crawlers, are all common place now and your log does not look pout of the ordinary. In addition, you will find, most likely (because I know we do), that many of your own users will visit Google and it will record the NATted address of your site and then later it reviews these to see what services you run as part of its own activities.

Keith
0
 

Author Comment

by:captainrichard
ID: 22820339
Is there any truth to this?

" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Here is one of the entries that he is referring to:
Possible port scan dropped      
Source:203.149.62.175, 80, WAN      
Destination:202.57.149.114, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:Kamran Arshad
ID: 22823124
Hi,

No one can stop attackers from attacking but the good thing is that your firewall which seems to be sonicwall is dropping any suspicious packets.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22824215
No, it is not necessarily an 'attack'. I have often put in a ping request to a totally random IP address - (God knows who owned it) but that would repeat your scenario. It is a fact of life that this is going to happen - your firewall is doing its job and alerting you to the fact, thats all.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836051
Thanks :)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506W VPN Clients not seeing local network 12 38
slow vpn connection 9 77
Monitor Bandwidth throughput in Fortigate 100D 1 35
Factory Reset of Juniper SSG20 2 17
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question