Dos attack

pts.
Tags:
Access control
Application security
backdoors
Biometrics
Browsers
Compliance
configuration
CRM
Current threats
Database
Digital certificates
Disaster Recovery
Encryption
filtering
Firewalls
Forensics
Hacking
human factors
Identity & Access Management
Incident response
Instant Messaging
Intrusion management
Microsoft Exchange
Network security
patching
PEN testing
Platform Security
Policies
provisioning
Risk management
Secure Coding
Security
Security Program Management
Security tokens
Servers
Single sign-on
Spyware
SSL/TLS
Trojans
Viruses
VPN
vulnerability management
Web security
Wireless
worms
I have been receiving security alert messages from our firewall nearly everyday. e.g TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] TCP Packet - Source:210.7.0.36,3473 Destination:210.7.12.23,135 - [DOS] Thu, 2006-10-19 16:30:03 - UDP Packet - Source:192.168.1.111,1443 Destination:202.62.124.238,53 - [Any(ALL) match] can someone help me... Thanks in advance Wanz.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Wanz hello,

The first message means a public IP address (could be from any one of various registries) is trying to send a packet to a private IP address in your organization, in port 25 (SMTP). This does not necessarily indicate a DOS attack, and if the firewall is blocking the packet then it’s OK.

The second message means a public IP address is trying to send a packet to another public IP address, in port 135. Microsoft’s DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN’s UNIX use of port 111. The SCM server running on the user’s computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine. Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as “epdump” (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user’s hosting computer and match them up with known exploits against those services.

The third message means a private IP address in your organization is trying to send a packet to a public IP address, in port 53 (DNS). This does not necessarily indicate a DOS attack, and can indicate a simple DNS query. I can recommend opening port 53 UDP (for DNS queries) ONLY to the DNS servers you use (internal or external) in your organization.

Hope I helped…

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • PeteW
    The Destination:192.168.1.1 is for Netgear Routers. Not sure of the significance in this instance
    100 pointsBadges:
    report
  • Chippy088
    You obviously need to locate the device with the ip address of the source/target private address, and find out what the user was doing at the time stated in the report. Easy to do if the ip addresses are all static, harder to do if they are dynamic addresses. If they are dynamic, then providing the time they are valid is more than a few days, you could interigate the dhcp router for their mac addresses, and watch the traffic for a few days to see if there is a pattern. I have to agree with celtic, it doesn't necessarily mean a dos attack, it could simple be an acl rule that is blocking the traffic as celtic suggested. If it is bothering you, you should investigate further. The time spent won't be wasted as it will give you a more in-depth view of you internal network. Dave
    4,625 pointsBadges:
    report
  • petkoa
    Hi, I'd be mostly worried about the first hit: TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] You should never get on your outer interface packets to private destination 192.168.1.1, unless there is misconfigured router in your nearest proximity, that means yours or your ISP router... Considering the second and third hits, I will agree with Celtic - they are probably not a problem at all. Good luck, Petko
    3,120 pointsBadges:
    report
  • Chippy088
    Doesn't the line TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] indicate that the Source:144.120.8.89,39341 has an address translation (39341) session originated from the private address?
    4,625 pointsBadges:
    report
  • petkoa
    Hi, Dave I don't see why using port 39341 means that an address-translation session is initiated. I'd rather suppose an address translation in the second line: TCP Packet - Source:210.7.0.36,3473 Destination:210.7.12.23,135 - [DOS] where some private IP from one subnet is routed through a NATting device to a second subnet in the same organization, and because port 135 is a "well-known hacking port", whatever it means, the firewall is stopping the packet. Well, if these records are caught on the internal interface of the firewall, then there is a second explanation - somebody took a laptop with a static primary network configuration (144.120.8.89) into the LAN with private range IPs - but then nameserver and gateway settings should not work. Or the third one (really a more probable variant of the 2nd) - they have a "mixture" of private and public IPs on the same LAN, private using NAT and public using routing - pretty bad idea, but happens. In this case they should re-configure the firewall to allow these connections and not to complain about them. BR, Petko
    3,120 pointsBadges:
    report
  • Creativenutt
    i didn't get a word of whatever you all have discussed though i am facing the same problem.
    10 pointsBadges:
    report
  • petkoa
    Hi, Creative... The bottom line, as I see it, is that probably no one is attacking Wanz' firewall. Just some "false-positives", you have lot of them on any firewall / IDS, however low sensitivity you set. At least all the time you will have some late responce packets, which will miss the period during which a firewall is keeping there connection open and waiting... BR, Petko
    3,120 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following