Solved

a lot of denys on watchguard firewall

Posted on 2009-04-15
9
3,297 Views
Last Modified: 2013-11-16
Hello,

I am getting alot of deny's on my watchguard peek x5550 firewall from internal traffic.  They seem to be dns and smtp denial of service attacks from my outbound smtp server.  Also, i am getting alot of denies from a local address to a 169.254.109.222 for port 137 and 139.  It seems to me that netbios traffic is trying to route to the firewall.  

Because of these constant denies the traffic  is always high on the watchguard and slows down performance.

Please see sample of logs below.

thanks

phil

2009-04-15 11:46:30 Deny 192.168.6.46 74.53.227.210 smtp/tcp 38756 25 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 48 127 (internal policy)   tcpinfo="offset 7 S 1932453848 win 65535"

2009-04-15 11:46:30 Deny 192.168.6.46 18.71.0.151 dns/udp 12574 53 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 58 127 (internal policy)    

2009-04-15 11:44:03 Deny 192.168.6.95 169.254.109.222 4937/tcp 139 4937 1-Trusted 2-BIS denied 48 127 (Unhandled Internal Packet-00)   tcpinfo="offset 7 SA 3256565437 win 64240"
0
Comment
Question by:philipfarnes
  • 4
  • 4
9 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What is the computer with the IP address 192.168.6.46?  If it is NOT a SMTP server, then it may be infected with a virus/worm and is attempting to send spam e-mail and attempting to do its own name look-ups.  Do you see this type of activity from other comptuers?  If so, then you most likely have a few computers that are infected.

Now,  169.254.109.222 is auto generated IP address used when a computer could not find a DHCP server.  I would try and track down that computer.  

0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
As the SMTP server needs DNS and outbound traffic would be TCP/25, this can be legitimate traffic; however, there is a possibility that the server is infected with some malware. Check for that.

For the other internal machine sending out traffic on 137/139 ports then it is definitely NetBIOS traffic; however 169.254.x.y is APIPA address (as MS Calls it); disabling NetBIOS would be a good option if you are not already using NetBIOS. Also check for malware on this system.

Thank you.
0
 

Author Comment

by:philipfarnes
Comment Utility
Thanks for the response. After further investigation I wound the 169.254 is being generated for each pc from the spaning port on our websense server.  I think to solve this you have to remove tcp/ip from the 2nd nic plugged into the span port.

 
Thanks
0
 

Author Comment

by:philipfarnes
Comment Utility
In regards to 6.46 that is our smtp outbound server. We have an antivirus policy that only let's specific servers send mail. Also we can send out up to 500-1000 emails at once to clients so I amssume the watchguard is thinking its a denial of service attack from inside.  It was set for 100 connections but I have upped it to 500 before it denies. Does that sounnd right?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
>>  It was set for 100 connections but I have upped it to 500 before it denies
I think you are talking about "Distributed Denial-of-Dervice Prevention" limit under Intrustion Prevention (Default Packet handling). Per Client Quota is maximum allowed number of connections per second from a source IP address protected by the Firebox.

Yes, you are correct, increasing the limit would help. As you can send upto 1000 emails at once, I think you should set the limit to 1000 instead of 500.

Thank you.
0
 

Author Comment

by:philipfarnes
Comment Utility
is there then a threat of recieving 1000 connections externally before d-o-s prevention kicks in?

0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I am not 100% sure, but I think the way this should be implemented is:
For outbound connecting there would be NAT/session entries; all corresponding traffic should be allowed in without checking for Per Server Quota parameter value.

Per Server Quota should only be looked for all inbound connections which are initialized from the internet.

Thank you.
0
 

Author Comment

by:philipfarnes
Comment Utility
How would you set this. From what I can tell the is an overall firewall configuration.

Th
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
There is no configuration needed; for all outbound traffic, corresponding traffic is allowed as it is part of state/session.

All we can set are the limits for the number of outbound connection from a single client behind firebox; and the maximum number of inbound connections for a server behind firebox.

Sorry, if my earlier post confused you.

Thank you.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Palo Alto Networks Global Protect 2 49
Nexus OS - OSPF Command 3 28
ESXi VLAN Lab 2 32
Resource cost of NAT vs routing 3 13
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now