Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

a lot of denys on watchguard firewall

Posted on 2009-04-15
9
3,478 Views
Last Modified: 2013-11-16
Hello,

I am getting alot of deny's on my watchguard peek x5550 firewall from internal traffic.  They seem to be dns and smtp denial of service attacks from my outbound smtp server.  Also, i am getting alot of denies from a local address to a 169.254.109.222 for port 137 and 139.  It seems to me that netbios traffic is trying to route to the firewall.  

Because of these constant denies the traffic  is always high on the watchguard and slows down performance.

Please see sample of logs below.

thanks

phil

2009-04-15 11:46:30 Deny 192.168.6.46 74.53.227.210 smtp/tcp 38756 25 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 48 127 (internal policy)   tcpinfo="offset 7 S 1932453848 win 65535"

2009-04-15 11:46:30 Deny 192.168.6.46 18.71.0.151 dns/udp 12574 53 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 58 127 (internal policy)    

2009-04-15 11:44:03 Deny 192.168.6.95 169.254.109.222 4937/tcp 139 4937 1-Trusted 2-BIS denied 48 127 (Unhandled Internal Packet-00)   tcpinfo="offset 7 SA 3256565437 win 64240"
0
Comment
Question by:philipfarnes
  • 4
  • 4
9 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24153495
What is the computer with the IP address 192.168.6.46?  If it is NOT a SMTP server, then it may be infected with a virus/worm and is attempting to send spam e-mail and attempting to do its own name look-ups.  Do you see this type of activity from other comptuers?  If so, then you most likely have a few computers that are infected.

Now,  169.254.109.222 is auto generated IP address used when a computer could not find a DHCP server.  I would try and track down that computer.  

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24154495
As the SMTP server needs DNS and outbound traffic would be TCP/25, this can be legitimate traffic; however, there is a possibility that the server is infected with some malware. Check for that.

For the other internal machine sending out traffic on 137/139 ports then it is definitely NetBIOS traffic; however 169.254.x.y is APIPA address (as MS Calls it); disabling NetBIOS would be a good option if you are not already using NetBIOS. Also check for malware on this system.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24154763
Thanks for the response. After further investigation I wound the 169.254 is being generated for each pc from the spaning port on our websense server.  I think to solve this you have to remove tcp/ip from the 2nd nic plugged into the span port.

 
Thanks
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:philipfarnes
ID: 24154784
In regards to 6.46 that is our smtp outbound server. We have an antivirus policy that only let's specific servers send mail. Also we can send out up to 500-1000 emails at once to clients so I amssume the watchguard is thinking its a denial of service attack from inside.  It was set for 100 connections but I have upped it to 500 before it denies. Does that sounnd right?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156050
>>  It was set for 100 connections but I have upped it to 500 before it denies
I think you are talking about "Distributed Denial-of-Dervice Prevention" limit under Intrustion Prevention (Default Packet handling). Per Client Quota is maximum allowed number of connections per second from a source IP address protected by the Firebox.

Yes, you are correct, increasing the limit would help. As you can send upto 1000 emails at once, I think you should set the limit to 1000 instead of 500.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24156070
is there then a threat of recieving 1000 connections externally before d-o-s prevention kicks in?

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156461
I am not 100% sure, but I think the way this should be implemented is:
For outbound connecting there would be NAT/session entries; all corresponding traffic should be allowed in without checking for Per Server Quota parameter value.

Per Server Quota should only be looked for all inbound connections which are initialized from the internet.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24165494
How would you set this. From what I can tell the is an overall firewall configuration.

Th
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24165514
There is no configuration needed; for all outbound traffic, corresponding traffic is allowed as it is part of state/session.

All we can set are the limits for the number of outbound connection from a single client behind firebox; and the maximum number of inbound connections for a server behind firebox.

Sorry, if my earlier post confused you.

Thank you.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question