We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Port 445 Intrusion attempts on firewall?

Medium Priority
814 Views
Last Modified: 2013-11-16
I was examining one of my sonicwall firewalls I have installed and noticed some interesting traffic coming through.  Well actually the firewall is stopping it like it is supposed to be doing, but I thought I would post the file and see what some of you think.

I have been tracing IPs this morning with ARIN.net and some of these belong to the hosting ISP, Eschelon/Integra Telecom.  However, pretty much all of the port 445 requests are coming from out of the USA.

The first part of the attached is the ISP for some reason, but almost everything port 445 and up to 33662 looks a bit fishy.

I guess the main question here is since a lot of these are out of the country, and the sonicwall is doing its job (stopping the traffic) should there be a concern?  The server doesn't host anything but internal file access and folder permissions, so no open ports to the outside world.  Also in the event that repeated attempts from the same IP are logged, is there a way to take action on the offender or are they most likely forging their IP or tunneling it through someone else's ISP anyway?
Sonicwall-Log.xls
Comment
Watch Question

Software and Hardware Engineer
Commented:
445 is the "new" microsoft networking port (it used to be ports 137-139, now its 445)

so it could be harmless - badly configured windows machines on the internet looking for other windows machines to talk to - or deliberate scanning looking for exposed microsoft default shares (most ms machines expose admin$ and c$ by default; in xp and above, when "simple file sharing" is enabled, those are hidden however)

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
It's likely that these are machines infected with conficker/downadup are are looking for more hosts vulnerable to exploits targetting MS08-067.  There's all sorts of information about this worm at http://isc.sans.org/diary.html?storyid=5860 and a particularly full analysis at http://mtc.sri.com/Conficker/ which I'd recommend to anyone concerned about their networks.

It's unlikely that these machines are obfuscating their IP addresses and so you could take action to block repeated attempts to contact port 445,  but certainly some of these IP's will be dynamic and in any event, your firewall is doing its job and there doesn't seem to be a need to start blocking IP's
Dave HoweSoftware and Hardware Engineer

Commented:
As a general rule - badly configured windows machines will try to locate peers to do their microsoft networking with, and malicious attackers (either human or automated such as worms) will do likewise. your firewall should block 445 and 137-139 by default, and assuming your firewall is stateful, really inbound connections you should block by default and allow only when you need/want to, rather than the other way about (certainly for ports less than 1025 anyhow)

random ms networking queries and intermittent portscans are part of what is usually referred to as "internet background radiation" - my firewalls get portscanned several times per day, mostly from china, and they will usually sweep the entire IP address range and move on (usually after trying to log into my unix based ftp server a few times as "Administrator" :)

Author

Commented:
Thank you for your input on this!  Sounds like everything is working as planned and the firewall is doing its job.  Thanks for the two links to read also, good information!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.