yodaa
asked on
Firewall attack
Hi Guys
I have noticed today this firewall attack
Probable TCP Null scan Detected Target Our Public IP initiator 176.31.106.44
Could you help me to understand this attack pleaseeeee
thank you
I have noticed today this firewall attack
Probable TCP Null scan Detected Target Our Public IP initiator 176.31.106.44
Could you help me to understand this attack pleaseeeee
thank you
Doesn't appear to be a firewall attack. ovh.com. Do you use their services?
ASKER
Hi lockdown
Hope you are well!
Hmmm I don't think so.
Okay so what does it mean, should I worry?
Hope you are well!
Hmmm I don't think so.
Okay so what does it mean, should I worry?
I would browse their web page (it is safe). They are a cloud provider. Make sure you and your users don't have any of their services. If not I would say it is safe to igmore.
ASKER
LockDown23
But why Firewall sees this as the Probable TCP Null scan Detected ?
But why Firewall sees this as the Probable TCP Null scan Detected ?
You just asked this back in April didn't you?
https://www.experts-exchange.com/questions/28937108/Probable-TCP-NULL-scan-detected.html
https://www.experts-exchange.com/questions/28937108/Probable-TCP-NULL-scan-detected.html
Looks like there is negative reporting from the IP.
https://www.abuseipdb.com/check/176.31.106.44
But I will not say it is attack as it is too early to confirm it though typical of an attacker doing this TCP NULL scan is to determine if ports are closed on the target machine. Normal Firewall alert I will say to get some attention on the source. It is bad if it get persistent.
You can try to blacklist if the source is new to the access including the source origin country is new to you too. You can monitor it for a while to assess any impact to see if it die off after a short stint if it is infrequent as a whole.
https://www.abuseipdb.com/check/176.31.106.44
But I will not say it is attack as it is too early to confirm it though typical of an attacker doing this TCP NULL scan is to determine if ports are closed on the target machine. Normal Firewall alert I will say to get some attention on the source. It is bad if it get persistent.
You can try to blacklist if the source is new to the access including the source origin country is new to you too. You can monitor it for a while to assess any impact to see if it die off after a short stint if it is infrequent as a whole.
ASKER
Lock
Yes that's correct :)
Btan
How should I monitor it? just checking the logs more often ? We have SonicWALL analyser
Yes that's correct :)
Btan
How should I monitor it? just checking the logs more often ? We have SonicWALL analyser
You can monitor with the SIEMS (or any log aggregator like kiwisyslog or using just the FW event list) receiving those alerts and assess the frequency of its occurrence from day to day, any huge surge or symptom of it increasing may not be positive if the same source IP keep the persistently scanning against the systems.
Hi there,
I believe null scan is an attempt of port scan being done on your device:
https://www.plixer.com/blog/scrutinizer/the-null-scan-you%E2%80%99re-being-watched/
Try the stealth mode option in Sonicwall to block the traffic:
https://support.software.dell.com/kb/sw3859
I believe null scan is an attempt of port scan being done on your device:
https://www.plixer.com/blog/scrutinizer/the-null-scan-you%E2%80%99re-being-watched/
Try the stealth mode option in Sonicwall to block the traffic:
https://support.software.dell.com/kb/sw3859
ASKER
Try the stealth mode option in Sonicwall to block the traffic:
I have had activated this setting so it means that it was blocked?
I have had activated this setting so it means that it was blocked?
Then ideally block the IP address if you find more hits from it
ASKER
No more hits
there was only 2 last week from the same IP
there was only 2 last week from the same IP
Hi there,
So ideally check for a mechanism for an alert notification to your mail ID from sonicwall so that you are alerted about the incoming hits from this source.
If you still find the IP , block the same.
So ideally check for a mechanism for an alert notification to your mail ID from sonicwall so that you are alerted about the incoming hits from this source.
If you still find the IP , block the same.
if you do have the log collected into kiwisyslog, there is also a threshold filter for alerting and even send email notification
Overviewhttp://www.kiwisyslog.com/help/syslog/index.html?filters_threshold.htm
This filter will trigger only when the preceding filters have been met X times in Y seconds.
The Flags/Counters filters need to be placed after all the other filter types in the rule. This is so the other filters can be processed first.
Details
The Threshold filter is useful when you only want to know about an event when it reaches a certain level. For example, you may receive the occasional message containing the text "port scan detected", but you only want to be alerted to it when it occurs 5 times within a minute. This would indicate that there is someone persistently scanning your network.
ASKER
We do not have SIEM software unfortunately :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.