Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Drop TCP packet from WAN /dlink log - what does it mean?

Posted on 2009-05-13
6
Medium Priority
?
2,766 Views
Last Modified: 2012-05-06
Hi,
I just noticed these on in my dlink logs.  What does it mean?

Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:61333      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60781      Rule: Default deny
Drop TCP packet from WAN      199.175.179.210:80      10.0.1.10:60743      Rule: Default deny
Drop TCP packet from WAN      41.220.12.49:3128      10.0.1.10:60707      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny
Drop TCP packet from WAN      209.85.133.19:443      10.0.1.10:60604      Rule: Default deny

Thanks
T
0
Comment
Question by:Tania_Farmer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 17

Accepted Solution

by:
ccomley earned 2000 total points
ID: 24372069
What it says - someone "out there" on the internet attempted to make a connection to your system, your firewall has a rule which says not to let these people in - actually it's a default rule, that is, what the firewall does in the absense of any more specific instruction) so it just drops the packet. That is to say, ignores it, rather than either passing it, or responding to it in the negative.

The sending machine will just have "timed out".

It's nothing to worry about.

In fact, as a *general* rule, anything you see in your firewall log is nothing to worry about because it means your firewall has detected and acted upon any problem. The things to worry about are the types of attack your firewall doesn't recognise or can't detect, which it can't block, and, of course, it follows, it can't log either.

There are any NUMBER of reasons why some external computer may be trying to access your network. some legitimate mistakes, keying errors, some attempts to see if you have a "bot" infection or other weakness they can exploit for spamming. It's good that you have a firewall* - but don't lose sleep over all the stuff it logs.

* -  recent experiments showed that if you connect an unprotected Windows XP machine (i.e. with no firewall or software-firewall running) the average time between connecting it and it becoming infected with some bot or trojan is about four minutes...

0
 
LVL 12

Expert Comment

by:geowrian
ID: 24372082
To add to what ccomley said (and he said a lot and said it well), those messages means somebody from the Internet tried to connect to a computer on your local network. The router blocked the attempt. This is normal and helps a great deal with security. If for some reason you wanted to traffic to go through, you would probably need to setup port forwarding on the router to direct it to the PCs you want, or put a PC in the DMZ to act as a catch-all for incoming attempts except those explicitly blocked.
0
 
LVL 8

Expert Comment

by:thetmanvn
ID: 24372098
1. Did you setup some firewall rules on your Dlink?

2. If you can view more details about this transaction to see if it was in ESTABLISHED session, or NEW Session. But if is standard case, this is traffic from your local to Web Server outside (Directly and Via Proxy) of ESTABLISHED session. In this case, you must show more details about these sessions, and also your  firewall rules. If it is unusual case (attacker force their localport to 443 (80,3128) and try to open a new connection to your external IP at port (60xxx) then it will be deny by your Dlink, because I don't think you publish any services in this range port, but in this very unusual case, you can forget about it because Dlink did his job. But It's asume, and I think the standard case is more realitic.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373036
I guess this is:
- As you notice all your intranet side ports are  >1024. I means that some client (10.1.0.10) made some TCP/IP connection.
- The ports indicate that the requests were made HTTP, HTTPS and HTTP Proxy pages.
- It seems that your firewall is a SPI (stateful packet inspection) firewall in that it :
  - Does not allow any packet to get in initially
  - It allows the response to get  in once an request have been started from inside.
  - From then one it follws the trraffic and when it detects a disconnection, or end to the session it will block the communication that it previously allowed in.
  - It seems to me that, Thoght your firewall decides the communication has been over the web site either did not get the coonection reset TCP/IP packet or having a longer sessin timeout thinks that the connection is still valid and try to send some more info over the channel.
  - Since your firewall decided that the communication is over it drops the packet and logs it.

Furthermore it can not be an external attempt form outside since the address 10.0.1.10 is not a routable address and even if a site decides to send info to that address since these are not routable adresses the packets would not ended-up in your router.

It is clear that the packets are arriving to your registered IP address (Wan side of your router) and your Router knows that the traffic is destined to your internal address from its state tables that it uses for NAT.
 
Even if it was an hacking attempt then it would only be packet spoofing (Spoofing the TCP/IP headers with the internal addresses.) attempt and which would not work with SPI firewalls.

So I think these log entries are just for you to know that your firewall dropped some communication destined to one of your internal hosts on grounds that Firewall thinks the connection has been terminated. But it can still tell what client the traffic is destined for so it still did not discard the NAT state table but only classified the communication as closed. So you can safely ignore them.
 
0
 

Author Comment

by:Tania_Farmer
ID: 24373138
Hi,
Thanks KermE for your reply.

T.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24373177
You're welcome. I hope I could be of help. :) Good day.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Make the most of your online learning experience.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question