yodaa
asked on
Probable TCP NULL scan detected
Hi
I have noticed one alert on my sonicwall
Security Services - Alert- Probable TCP NULL scan detected - Notes(TCP flags: None) - Src IP 46.7.132.23 (it seems that UPC Ireland) Src port 52784- src Int. X2 Dst IP my External IP- dst Port 443
Should I worry ?
Why they are scanning mu ports ?
Could you help me and explain this alert please.
thank you
I have noticed one alert on my sonicwall
Security Services - Alert- Probable TCP NULL scan detected - Notes(TCP flags: None) - Src IP 46.7.132.23 (it seems that UPC Ireland) Src port 52784- src Int. X2 Dst IP my External IP- dst Port 443
Should I worry ?
Why they are scanning mu ports ?
Could you help me and explain this alert please.
thank you
ASKER
Thank you John for quick respond.
My company is based in Ireland but my My ISP provider is different then UPC.
But question is should I worry ?
My company is based in Ireland but my My ISP provider is different then UPC.
But question is should I worry ?
It depends on the intent and persistency of the source conducting this sort of scan. Typically it is common for internet asset to be scanned and FW can just blacklist the IP has ill intent to scan the target dest for open port and service so that attempts to connect remotely can allow them access into the company internal network or systems for further penetration.
If the IP is unknown and to you serve no reason for trigger such string of alert, block it. Note that source IP may be proxied and not be the actually true source. So make sure to monitor it first before (and after blocking till concluding it as blacklisted source on long term).
If the IP and its event is known and insignificant as it is once in a blue moon type. Then monitor for any recurrence and aggressive attempt on such scan and even attempts on different scan type. If the event of scan type varies, likely an automated tool is used. Recommend it to be blocked eventually.
Overall blacklist IP not necessary can stop scan. But err on the safe side and block it on account on its is rare and there is (or should) not any dealing to that source and country.
If the IP is unknown and to you serve no reason for trigger such string of alert, block it. Note that source IP may be proxied and not be the actually true source. So make sure to monitor it first before (and after blocking till concluding it as blacklisted source on long term).
If the IP and its event is known and insignificant as it is once in a blue moon type. Then monitor for any recurrence and aggressive attempt on such scan and even attempts on different scan type. If the event of scan type varies, likely an automated tool is used. Recommend it to be blocked eventually.
Overall blacklist IP not necessary can stop scan. But err on the safe side and block it on account on its is rare and there is (or should) not any dealing to that source and country.
In this case I would not worry as port scans occur all over the world all the time. The important thing for you from a security standpoint is to do the following:
1) Keep your firewall firmware up to date
2) Only allow ports open on your firewall (especially inbound) for services/people that need access to your network. Be as restrictive as possible without hindering your network operation.
3) If you see a large amount of traffic hitting your firewall from a suspicious location that you dont recognize....block it. Worst case you will get a phone call from a user that cant access something on your network.
1) Keep your firewall firmware up to date
2) Only allow ports open on your firewall (especially inbound) for services/people that need access to your network. Be as restrictive as possible without hindering your network operation.
3) If you see a large amount of traffic hitting your firewall from a suspicious location that you dont recognize....block it. Worst case you will get a phone call from a user that cant access something on your network.
ASKER
btan
What do you mean by that "If the IP is unknown" ?
What do you mean by that "If the IP is unknown" ?
IP origin from places not known to you or commonly seen to company exchanges. Like origin geolocation, no past known business transaction intents, poor reputed sources, etc. Can also check through past two to three months of log for such IP and if this is the first instance, can monitor first as suggested in m ay last post.
So far this source seems to know for doing spam, hacks, portscans though not in any common blacklist (yet).
http://dnswhois.info/46.7.132.23
http://www.ipvoid.com/scan/46.7.132.23/
So far this source seems to know for doing spam, hacks, portscans though not in any common blacklist (yet).
http://dnswhois.info/46.7.132.23
http://www.ipvoid.com/scan/46.7.132.23/
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I slightly disagree, while there are some great answers hers, I would probably be more alert if the IP is "known".
What I mean by that is that is if it's an unknown IP just port scanning then that is quite normal on the internet today. But on the other hand, if you are getting port scanned (null scan in this case, most likely an intended scan) by an IP which belongs to a company you've done business with, then that is very interesting. But then we're getting into things more non-technical (why do they have interest in your company, and went through the effort of all this information gathering (conducting business, port scanning)).
But as to your question WHY they are scanning your ports, only they will truly know why.
What I mean by that is that is if it's an unknown IP just port scanning then that is quite normal on the internet today. But on the other hand, if you are getting port scanned (null scan in this case, most likely an intended scan) by an IP which belongs to a company you've done business with, then that is very interesting. But then we're getting into things more non-technical (why do they have interest in your company, and went through the effort of all this information gathering (conducting business, port scanning)).
But as to your question WHY they are scanning your ports, only they will truly know why.
ASKER
Thank you guys for help.
John, Btan
Could you guide me how to block this address on SonicWALL ?
Could you guide me how to monitor this "traffic hitting your firewall" which section should I looking for ?
Also I cannot go back for last 3months in logs hmm only 24 hours
John, Btan
Could you guide me how to block this address on SonicWALL ?
Could you guide me how to monitor this "traffic hitting your firewall" which section should I looking for ?
Also I cannot go back for last 3months in logs hmm only 24 hours
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
On the Sonicwall -
Firewall > Access Rules
Click Add rule
Action - Deny
From - LAN
To - WAN
Destination > Create New Network
Assign a Name for the IP/Site
Zone Assignment - WAN
Type - Host or network if you want to block the entire IP range
Enter the IP of the site or network range
Click OK and then click Add
You could also block IPs by country on the Sonicwall as well. Here is a video on how to do that.
https://www.youtube.com/watch?v=DA6amYsJBGo