Solved

Drop TCP packet from WAN /dlink log - what does it mean?

Posted on 2009-05-13
6
2,572 Views
Last Modified: 2012-05-06
Hi,
I just noticed these on in my dlink logs.  What does it mean?

Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:61333      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:60707      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny

Thanks
T
0
Comment
Question by:Tania_Farmer
6 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24372069
What it says - someone "out there" on the internet attempted to make a connection to your system, your firewall has a rule which says not to let these people in - actually it's a default rule, that is, what the firewall does in the absense of any more specific instruction) so it just drops the packet. That is to say, ignores it, rather than either passing it, or responding to it in the negative.

The sending machine will just have "timed out".

It's nothing to worry about.

In fact, as a *general* rule, anything you see in your firewall log is nothing to worry about because it means your firewall has detected and acted upon any problem. The things to worry about are the types of attack your firewall doesn't recognise or can't detect, which it can't block, and, of course, it follows, it can't log either.

There are any NUMBER of reasons why some external computer may be trying to access your network. some legitimate mistakes, keying errors, some attempts to see if you have a "bot" infection or other weakness they can exploit for spamming. It's good that you have a firewall* - but don't lose sleep over all the stuff it logs.

* -  recent experiments showed that if you connect an unprotected Windows XP machine (i.e. with no firewall or software-firewall running) the average time between connecting it and it becoming infected with some bot or trojan is about four minutes...

0
 
LVL 12

Expert Comment

by:geowrian
ID: 24372082
To add to what ccomley said (and he said a lot and said it well), those messages means somebody from the Internet tried to connect to a computer on your local network. The router blocked the attempt. This is normal and helps a great deal with security. If for some reason you wanted to traffic to go through, you would probably need to setup port forwarding on the router to direct it to the PCs you want, or put a PC in the DMZ to act as a catch-all for incoming attempts except those explicitly blocked.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24372098
1. Did you setup some firewall rules on your Dlink?

2. If you can view more details about this transaction to see if it was in ESTABLISHED session, or NEW Session. But if is standard case, this is traffic from your local to Web Server outside (Directly and Via Proxy) of ESTABLISHED session. In this case, you must show more details about these sessions, and also your  firewall rules. If it is unusual case (attacker force their localport to 443 (80,3128) and try to open a new connection to your external IP at port (60xxx) then it will be deny by your Dlink, because I don't think you publish any services in this range port, but in this very unusual case, you can forget about it because Dlink did his job. But It's asume, and I think the standard case is more realitic.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373036
I guess this is:
- As you notice all your intranet side ports are  >1024. I means that some client (10.1.0.10) made some TCP/IP connection.
- The ports indicate that the requests were made HTTP, HTTPS and HTTP Proxy pages.
- It seems that your firewall is a SPI (stateful packet inspection) firewall in that it :
  - Does not allow any packet to get in initially
  - It allows the response to get  in once an request have been started from inside.
  - From then one it follws the trraffic and when it detects a disconnection, or end to the session it will block the communication that it previously allowed in.
  - It seems to me that, Thoght your firewall decides the communication has been over the web site either did not get the coonection reset TCP/IP packet or having a longer sessin timeout thinks that the connection is still valid and try to send some more info over the channel.
  - Since your firewall decided that the communication is over it drops the packet and logs it.

Furthermore it can not be an external attempt form outside since the address 10.0.1.10 is not a routable address and even if a site decides to send info to that address since these are not routable adresses the packets would not ended-up in your router.

It is clear that the packets are arriving to your registered IP address (Wan side of your router) and your Router knows that the traffic is destined to your internal address from its state tables that it uses for NAT.
 
Even if it was an hacking attempt then it would only be packet spoofing (Spoofing the TCP/IP headers with the internal addresses.) attempt and which would not work with SPI firewalls.

So I think these log entries are just for you to know that your firewall dropped some communication destined to one of your internal hosts on grounds that Firewall thinks the connection has been terminated. But it can still tell what client the traffic is destined for so it still did not discard the NAT state table but only classified the communication as closed. So you can safely ignore them.
 
0
 

Author Comment

by:Tania_Farmer
ID: 24373138
Hi,
Thanks KermE for your reply.

T.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373177
You're welcome. I hope I could be of help. :) Good day.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now