HornAlum
asked on
Sonicwall - how to block UDP ports to prevent outgoing DDoS Attack
I got an email from our service provider implicating one of our IP's in a DDoS attack against a victim. We were probably smurfed in some way or something. Don't have much experience in this area.
The email states the attacking port was 161, a common UDP port for SNMP.
The IP address given to us as the offender was the IP of our Sonicwall NSA 2400
I ran an nmap query against that specific port and it tells me the state is "Open/Filtered". I'm running this query from outside my network.
I tried creating a LAN-WAN rule that denies UDP port 161 but that doesn't work. nmap still tells me the port is open/filtered. WAN-LAN rules already block everything except TCP 25 and 443 traffic.
How do I make sure I can block certain UDP ports from leaving our network, hence being "Closed to the public" and show up as "closed" on an nmap query
The email states the attacking port was 161, a common UDP port for SNMP.
The IP address given to us as the offender was the IP of our Sonicwall NSA 2400
I ran an nmap query against that specific port and it tells me the state is "Open/Filtered". I'm running this query from outside my network.
I tried creating a LAN-WAN rule that denies UDP port 161 but that doesn't work. nmap still tells me the port is open/filtered. WAN-LAN rules already block everything except TCP 25 and 443 traffic.
How do I make sure I can block certain UDP ports from leaving our network, hence being "Closed to the public" and show up as "closed" on an nmap query
ASKER
yep, already seen that. i've already got the LAN-WAN rule, with source/destination set to any/any, blocking port 161, but it still shows up as open/filtered on nmap.
ASKER
i want to keep SNMP working internally. I just want to make sure nothing goes out to the public/WAN from behind the firewall. I would think creating a block rule from each of the zones to the WAN zone would block this ... i just find it odd that nmap still tells me it is open/filtered.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Already had the steps in place to create the firewall rule. Our own Sonicwall tech contract gave us the info for stealth mode
https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=8110