Solved

Drop TCP packet from WAN /dlink log - what does it mean?

Posted on 2009-05-13
6
2,594 Views
Last Modified: 2012-05-06
Hi,
I just noticed these on in my dlink logs.  What does it mean?

Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:61333      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:60707      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny

Thanks
T
0
Comment
Question by:Tania_Farmer
6 Comments
 
LVL 16

Accepted Solution

by:
ccomley earned 500 total points
ID: 24372069
What it says - someone "out there" on the internet attempted to make a connection to your system, your firewall has a rule which says not to let these people in - actually it's a default rule, that is, what the firewall does in the absense of any more specific instruction) so it just drops the packet. That is to say, ignores it, rather than either passing it, or responding to it in the negative.

The sending machine will just have "timed out".

It's nothing to worry about.

In fact, as a *general* rule, anything you see in your firewall log is nothing to worry about because it means your firewall has detected and acted upon any problem. The things to worry about are the types of attack your firewall doesn't recognise or can't detect, which it can't block, and, of course, it follows, it can't log either.

There are any NUMBER of reasons why some external computer may be trying to access your network. some legitimate mistakes, keying errors, some attempts to see if you have a "bot" infection or other weakness they can exploit for spamming. It's good that you have a firewall* - but don't lose sleep over all the stuff it logs.

* -  recent experiments showed that if you connect an unprotected Windows XP machine (i.e. with no firewall or software-firewall running) the average time between connecting it and it becoming infected with some bot or trojan is about four minutes...

0
 
LVL 12

Expert Comment

by:geowrian
ID: 24372082
To add to what ccomley said (and he said a lot and said it well), those messages means somebody from the Internet tried to connect to a computer on your local network. The router blocked the attempt. This is normal and helps a great deal with security. If for some reason you wanted to traffic to go through, you would probably need to setup port forwarding on the router to direct it to the PCs you want, or put a PC in the DMZ to act as a catch-all for incoming attempts except those explicitly blocked.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24372098
1. Did you setup some firewall rules on your Dlink?

2. If you can view more details about this transaction to see if it was in ESTABLISHED session, or NEW Session. But if is standard case, this is traffic from your local to Web Server outside (Directly and Via Proxy) of ESTABLISHED session. In this case, you must show more details about these sessions, and also your  firewall rules. If it is unusual case (attacker force their localport to 443 (80,3128) and try to open a new connection to your external IP at port (60xxx) then it will be deny by your Dlink, because I don't think you publish any services in this range port, but in this very unusual case, you can forget about it because Dlink did his job. But It's asume, and I think the standard case is more realitic.

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373036
I guess this is:
- As you notice all your intranet side ports are  >1024. I means that some client (10.1.0.10) made some TCP/IP connection.
- The ports indicate that the requests were made HTTP, HTTPS and HTTP Proxy pages.
- It seems that your firewall is a SPI (stateful packet inspection) firewall in that it :
  - Does not allow any packet to get in initially
  - It allows the response to get  in once an request have been started from inside.
  - From then one it follws the trraffic and when it detects a disconnection, or end to the session it will block the communication that it previously allowed in.
  - It seems to me that, Thoght your firewall decides the communication has been over the web site either did not get the coonection reset TCP/IP packet or having a longer sessin timeout thinks that the connection is still valid and try to send some more info over the channel.
  - Since your firewall decided that the communication is over it drops the packet and logs it.

Furthermore it can not be an external attempt form outside since the address 10.0.1.10 is not a routable address and even if a site decides to send info to that address since these are not routable adresses the packets would not ended-up in your router.

It is clear that the packets are arriving to your registered IP address (Wan side of your router) and your Router knows that the traffic is destined to your internal address from its state tables that it uses for NAT.
 
Even if it was an hacking attempt then it would only be packet spoofing (Spoofing the TCP/IP headers with the internal addresses.) attempt and which would not work with SPI firewalls.

So I think these log entries are just for you to know that your firewall dropped some communication destined to one of your internal hosts on grounds that Firewall thinks the connection has been terminated. But it can still tell what client the traffic is destined for so it still did not discard the NAT state table but only classified the communication as closed. So you can safely ignore them.
 
0
 

Author Comment

by:Tania_Farmer
ID: 24373138
Hi,
Thanks KermE for your reply.

T.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373177
You're welcome. I hope I could be of help. :) Good day.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Etherchannel trunking 10 41
Static Route 22 46
BGP Network restrictions 6 19
network error 8 34
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now