?
Solved

a lot of denys on watchguard firewall

Posted on 2009-04-15
9
Medium Priority
?
3,683 Views
Last Modified: 2013-11-16
Hello,

I am getting alot of deny's on my watchguard peek x5550 firewall from internal traffic.  They seem to be dns and smtp denial of service attacks from my outbound smtp server.  Also, i am getting alot of denies from a local address to a 169.254.109.222 for port 137 and 139.  It seems to me that netbios traffic is trying to route to the firewall.  

Because of these constant denies the traffic  is always high on the watchguard and slows down performance.

Please see sample of logs below.

thanks

phil

2009-04-15 11:46:30 Deny 192.168.6.46 74.53.227.210 smtp/tcp 38756 25 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 48 127 (internal policy)   tcpinfo="offset 7 S 1932453848 win 65535"

2009-04-15 11:46:30 Deny 192.168.6.46 18.71.0.151 dns/udp 12574 53 1-Trusted 0-Clara.Net denial-of-service attack, drop this packet 58 127 (internal policy)    

2009-04-15 11:44:03 Deny 192.168.6.95 169.254.109.222 4937/tcp 139 4937 1-Trusted 2-BIS denied 48 127 (Unhandled Internal Packet-00)   tcpinfo="offset 7 SA 3256565437 win 64240"
0
Comment
Question by:philipfarnes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24153495
What is the computer with the IP address 192.168.6.46?  If it is NOT a SMTP server, then it may be infected with a virus/worm and is attempting to send spam e-mail and attempting to do its own name look-ups.  Do you see this type of activity from other comptuers?  If so, then you most likely have a few computers that are infected.

Now,  169.254.109.222 is auto generated IP address used when a computer could not find a DHCP server.  I would try and track down that computer.  

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24154495
As the SMTP server needs DNS and outbound traffic would be TCP/25, this can be legitimate traffic; however, there is a possibility that the server is infected with some malware. Check for that.

For the other internal machine sending out traffic on 137/139 ports then it is definitely NetBIOS traffic; however 169.254.x.y is APIPA address (as MS Calls it); disabling NetBIOS would be a good option if you are not already using NetBIOS. Also check for malware on this system.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24154763
Thanks for the response. After further investigation I wound the 169.254 is being generated for each pc from the spaning port on our websense server.  I think to solve this you have to remove tcp/ip from the 2nd nic plugged into the span port.

 
Thanks
0
Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

 

Author Comment

by:philipfarnes
ID: 24154784
In regards to 6.46 that is our smtp outbound server. We have an antivirus policy that only let's specific servers send mail. Also we can send out up to 500-1000 emails at once to clients so I amssume the watchguard is thinking its a denial of service attack from inside.  It was set for 100 connections but I have upped it to 500 before it denies. Does that sounnd right?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156050
>>  It was set for 100 connections but I have upped it to 500 before it denies
I think you are talking about "Distributed Denial-of-Dervice Prevention" limit under Intrustion Prevention (Default Packet handling). Per Client Quota is maximum allowed number of connections per second from a source IP address protected by the Firebox.

Yes, you are correct, increasing the limit would help. As you can send upto 1000 emails at once, I think you should set the limit to 1000 instead of 500.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24156070
is there then a threat of recieving 1000 connections externally before d-o-s prevention kicks in?

0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24156461
I am not 100% sure, but I think the way this should be implemented is:
For outbound connecting there would be NAT/session entries; all corresponding traffic should be allowed in without checking for Per Server Quota parameter value.

Per Server Quota should only be looked for all inbound connections which are initialized from the internet.

Thank you.
0
 

Author Comment

by:philipfarnes
ID: 24165494
How would you set this. From what I can tell the is an overall firewall configuration.

Th
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 1500 total points
ID: 24165514
There is no configuration needed; for all outbound traffic, corresponding traffic is allowed as it is part of state/session.

All we can set are the limits for the number of outbound connection from a single client behind firebox; and the maximum number of inbound connections for a server behind firebox.

Sorry, if my earlier post confused you.

Thank you.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month14 days, 10 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question