[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

a lot of denys on watchguard firewall

Posted on 2009-04-15
9
Medium Priority
?
3,946 Views
Last Modified: 2013-11-16
Hello,

I am getting alot of deny's on my watchguard peek x5550 firewall from internal traffic.  They seem to be dns and smtp denial of service attacks from my outbound smtp server.  Also, i am getting alot of denies from a local address to a 169.254.109.222 for port 137 and 139.  It seems to me that netbios traffic is trying to route to the firewall.  

Because of these constant denies the traffic  is always high on the watchguard and slows down performance.

Please see sample of logs below.

thanks

phil

2009-04-15 11:46:30 Deny 192.168.6.46 74.53.227.210 smtp/tcp 38756 25 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 48 127 (internal policy)   tcpinfo="offset 7 S 1932453848 win 65535"

2009-04-15 11:46:30 Deny 192.168.6.46 18.71.0.151 dns/udp 12574 53 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 58 127 (internal policy)    

2009-04-15 11:44:03 Deny 192.168.6.95 169.254.109.222 4937/tcp 139 4937 1-Trusted 2-BIS denied 48 127 (Unhandled Internal Packet-00)   tcpinfo="offset 7 SA 3256565437 win 64240"
0
Comment
Question by:philipfarnes
  • 4
  • 4
9 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24153495
What is the computer with the IP address 192.168.6.46?  If it is NOT a SMTP server, then it may be infected with a virus/worm and is attempting to send spam e-mail and attempting to do its own name look-ups.  Do you see this type of activity from other comptuers?  If so, then you most likely have a few computers that are infected.

Now,  169.254.109.222 is auto generated IP address used when a computer could not find a DHCP server.  I would try and track down that computer.  

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24154495
As the SMTP server needs DNS and outbound traffic would be TCP/25, this can be legitimate traffic; however, there is a possibility that the server is infected with some malware. Check for that.

For the other internal machine sending out traffic on 137/139 ports then it is definitely NetBIOS traffic; however 169.254.x.y is APIPA address (as MS Calls it); disabling NetBIOS would be a good option if you are not already using NetBIOS. Also check for malware on this system.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24154763
Thanks for the response. After further investigation I wound the 169.254 is being generated for each pc from the spaning port on our websense server.  I think to solve this you have to remove tcp/ip from the 2nd nic plugged into the span port.

 
Thanks
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:philipfarnes
ID: 24154784
In regards to 6.46 that is our smtp outbound server. We have an antivirus policy that only let's specific servers send mail. Also we can send out up to 500-1000 emails at once to clients so I amssume the watchguard is thinking its a denial of service attack from inside.  It was set for 100 connections but I have upped it to 500 before it denies. Does that sounnd right?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156050
>>  It was set for 100 connections but I have upped it to 500 before it denies
I think you are talking about "Distributed Denial-of-Dervice Prevention" limit under Intrustion Prevention (Default Packet handling). Per Client Quota is maximum allowed number of connections per second from a source IP address protected by the Firebox.

Yes, you are correct, increasing the limit would help. As you can send upto 1000 emails at once, I think you should set the limit to 1000 instead of 500.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24156070
is there then a threat of recieving 1000 connections externally before d-o-s prevention kicks in?

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156461
I am not 100% sure, but I think the way this should be implemented is:
For outbound connecting there would be NAT/session entries; all corresponding traffic should be allowed in without checking for Per Server Quota parameter value.

Per Server Quota should only be looked for all inbound connections which are initialized from the internet.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24165494
How would you set this. From what I can tell the is an overall firewall configuration.

Th
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1500 total points
ID: 24165514
There is no configuration needed; for all outbound traffic, corresponding traffic is allowed as it is part of state/session.

All we can set are the limits for the number of outbound connection from a single client behind firebox; and the maximum number of inbound connections for a server behind firebox.

Sorry, if my earlier post confused you.

Thank you.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question