• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4114
  • Last Modified:

a lot of denys on watchguard firewall

Hello,

I am getting alot of deny's on my watchguard peek x5550 firewall from internal traffic.  They seem to be dns and smtp denial of service attacks from my outbound smtp server.  Also, i am getting alot of denies from a local address to a 169.254.109.222 for port 137 and 139.  It seems to me that netbios traffic is trying to route to the firewall.  

Because of these constant denies the traffic  is always high on the watchguard and slows down performance.

Please see sample of logs below.

thanks

phil

2009-04-15 11:46:30 Deny 192.168.6.46 74.53.227.210 smtp/tcp 38756 25 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 48 127 (internal policy)   tcpinfo="offset 7 S 1932453848 win 65535"

2009-04-15 11:46:30 Deny 192.168.6.46 18.71.0.151 dns/udp 12574 53 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 58 127 (internal policy)    

2009-04-15 11:44:03 Deny 192.168.6.95 169.254.109.222 4937/tcp 139 4937 1-Trusted 2-BIS denied 48 127 (Unhandled Internal Packet-00)   tcpinfo="offset 7 SA 3256565437 win 64240"
0
philipfarnes
Asked:
philipfarnes
  • 4
  • 4
1 Solution
 
giltjrCommented:
What is the computer with the IP address 192.168.6.46?  If it is NOT a SMTP server, then it may be infected with a virus/worm and is attempting to send spam e-mail and attempting to do its own name look-ups.  Do you see this type of activity from other comptuers?  If so, then you most likely have a few computers that are infected.

Now,  169.254.109.222 is auto generated IP address used when a computer could not find a DHCP server.  I would try and track down that computer.  

0
 
dpk_walCommented:
As the SMTP server needs DNS and outbound traffic would be TCP/25, this can be legitimate traffic; however, there is a possibility that the server is infected with some malware. Check for that.

For the other internal machine sending out traffic on 137/139 ports then it is definitely NetBIOS traffic; however 169.254.x.y is APIPA address (as MS Calls it); disabling NetBIOS would be a good option if you are not already using NetBIOS. Also check for malware on this system.

Thank you.
0
 
philipfarnesAuthor Commented:
Thanks for the response. After further investigation I wound the 169.254 is being generated for each pc from the spaning port on our websense server.  I think to solve this you have to remove tcp/ip from the 2nd nic plugged into the span port.

 
Thanks
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
philipfarnesAuthor Commented:
In regards to 6.46 that is our smtp outbound server. We have an antivirus policy that only let's specific servers send mail. Also we can send out up to 500-1000 emails at once to clients so I amssume the watchguard is thinking its a denial of service attack from inside.  It was set for 100 connections but I have upped it to 500 before it denies. Does that sounnd right?
0
 
dpk_walCommented:
>>  It was set for 100 connections but I have upped it to 500 before it denies
I think you are talking about "Distributed Denial-of-Dervice Prevention" limit under Intrustion Prevention (Default Packet handling). Per Client Quota is maximum allowed number of connections per second from a source IP address protected by the Firebox.

Yes, you are correct, increasing the limit would help. As you can send upto 1000 emails at once, I think you should set the limit to 1000 instead of 500.

Thank you.
0
 
philipfarnesAuthor Commented:
is there then a threat of recieving 1000 connections externally before d-o-s prevention kicks in?

0
 
dpk_walCommented:
I am not 100% sure, but I think the way this should be implemented is:
For outbound connecting there would be NAT/session entries; all corresponding traffic should be allowed in without checking for Per Server Quota parameter value.

Per Server Quota should only be looked for all inbound connections which are initialized from the internet.

Thank you.
0
 
philipfarnesAuthor Commented:
How would you set this. From what I can tell the is an overall firewall configuration.

Th
0
 
dpk_walCommented:
There is no configuration needed; for all outbound traffic, corresponding traffic is allowed as it is part of state/session.

All we can set are the limits for the number of outbound connection from a single client behind firebox; and the maximum number of inbound connections for a server behind firebox.

Sorry, if my earlier post confused you.

Thank you.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now