Solved

Internet Traffic Help

Posted on 2014-07-31
9
194 Views
Last Modified: 2014-08-20
I have only just gotten to work with these tools and am new to reading this data so bare with me. I am trying to get my firewall/router and bandwidth/traffic to run as efficiently as possible. When reviewing today after losing connection multiple times I was reading the security event details. I need help in determining what I am reading and how, if any, to fix them. At this moment I have 1916 Scans/Probes events, 145 DoS/Flash Crowd events, 56 Suspect Flow events, and 24 Bad Src-Dst events. Which ones do I worry about and what do I do?

One event
Event two
0
Comment
Question by:Jennifer
  • 6
  • 3
9 Comments
 
LVL 22

Expert Comment

by:eeRoot
ID: 40235464
These two errors, "invalid src-dst flows" & "TCP null voilations" are not specific enough to make a conclusion.  But the range of ports that are listed suggest this may be traffic from port scanners or port knockers.  You do want to look at the sources of these alerts and what firewall rules are allowing this traffic.  It may be the a firewall rule it too lax, and is allowing unwanted connections.

Also, is 172.16.x.x an IP range of your equipment?  Some 172.16 addresses are listed as sources of this traffic, along with the public IP's.
0
 

Author Comment

by:Jennifer
ID: 40239582
Thanks for the info eeRoot. I will look at the firewall rules. Yes 172.16.x.x is an internal IP range. I didn't notice until you mentioned that these were in the source and destination list as well. I see the IP location and knew it was one of ours. I guess one question would be, while these don't look good are they detrimental? Any thoughts on why my equipment ips are showing up in with the public ips? Do you have any suggestions on what I may need to set in the firewall rules? It was setup by an outside consultant and I took it over. I am good with the firewall itself and making modifications but sometimes need direction on making it more efficient.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 40240496
I would start with checking for rules in the firewall that would be allowing these ports.  And also, make sure the servers are fully patched & have up to date antivirus software on them.  Are these Windows or Linux servers?  Either way, there are software tools that can be installed on the server to show what processes are creating netowrk traffic.  You might be able to ID the process that is creating this traffic.  And contact the IPS vendor for more info on these messages.  They should be able to determine if these are incorrect or legitimate warnings.
0
 

Author Comment

by:Jennifer
ID: 40246306
Sorry I said these IPs were my equipment, they are, but they are desktops. All of my servers are Windows servers and are fully patched and up to date on virus/endpoint software. Now my desktops unfortunately are as patched as they can be since I still have more than a handful with XP. I will look at the IPS log of the individual machines and see if there is anything being logged.

Any other tips?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Jennifer
ID: 40246314
Just a note: I am using an ASA5510 and Manage Engine NetFlow for the reporting tool.
0
 

Author Comment

by:Jennifer
ID: 40258745
Does anyone else have any input on these alerts? I have been reviewing and trying to determine how to adjust. There does seem to be less. Here are some I have from yesterday...

invalid src-dst - this one I am really not sure what to do with, there are a bunch of them and they have a bunch of source/destination ips listed including my external ips. How do I fix?
invalidsrc-dst.pnginvalidsrc-dst-2.png
tcp null port scan - this one concerns me because it is my websites external ip that is the offender. How to fix?
nullport.png
possible dos/flash crowd - the offender ip's are both workstations on my network, what is it and how do I fix it?
dosflash.png
0
 
LVL 22

Assisted Solution

by:eeRoot
eeRoot earned 400 total points
ID: 40259879
If the source devices are Windows machines, you may want to monitor the network traffic on one of the listed PC's or servers and see if you see any suspicious traffic.  And at this point, I would contact ManageEngine and see if they consider these alerts high risk, or if they are informational only or false alerts.
0
 

Accepted Solution

by:
Jennifer earned 0 total points
ID: 40263835
I have started monitoring the machines more since I am able to narrow the individuals ones down more. I have not contacted Manage Engine one because they do list the type of alert that it is.
Thanks for the help, I will just have to search more for a solution.
0
 

Author Closing Comment

by:Jennifer
ID: 40272061
My question hasn't really been answered. Between the information here and other information I have suggestions and ideas however it seems as though I am going to have to come up with a solution. So partial points.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now