Help me to detect and how to defence in this scenario
-
We are facing with big problem. In normal scenario, the firewall has about 200Mbps traffic on UNSECURED_NETWORK interface. Now, it's has the same traffic but very much packet that we don't know what is it (about 200kpps). The network is dead and the active states increased too much. We make a rule to block any host with:
Max. connections: 20
Max. src. states: 20
Max. src. conn. Rate:20
Max. src. conn. Rates:30sThis rule will be get 3Gb data for 3 mins but only few ip address were blocked (about 10).
http://prntscr.com/ck529b (this image show current active state we get)
http://prntscr.com/ck53yv (bandwitdth is ok but the network is dead)UNSECURED_NETWORK is WAN interface, it's will be transparent bridge with SECURED_NETWORK which directly connected with servers have public IP address
http://prntscr.com/ck59pi (we do not have much rule. In basic, we only want to make a transparent firewall to monitor network before it come to public switch)We can't detect what is type of attack, how to block or how to defence. We hope someone can suggestion.
Thank in advance. -
and what are in these packets? What is the source and dest? What is the protocol.. You got to give us more to go on here.
-
We don't know what type of these packets, ntop report that 40% is http and https, 20% is unknown…. We don't have IDS system to detect it. The source and destination address have many problem:
our network: 125.212.x.x
source network: come from over the world
destination network: 149.56.149.42
You can see here: http://prntscr.com/ck6cjbSource and destination address aren't our IP address range. I don't understand why they there.
-
well sniff and see.. your saying this 149.56.149.42 is not your IP block? But traffic is being routed to you.. Well I would get with your ISP on why your seeing traffic to a IP this not yours.