Firewall UDP ? Attack !! Or Normal ?
-
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
Why would someone "waste" 33Mbit/s bw on attacking you ?
I don't know, I'm just trying to understand what's going on...and why I can't use my IP xD
-
@silence said in Firewall UDP ? Attack !! Or Normal ?:
@bingo600 said in Firewall UDP ? Attack !! Or Normal ?:
Why would someone "waste" 33Mbit/s bw on attacking you ?
I don't know, I'm just trying to understand what's going on...and why I can't use my IP xD
Don't focus too much on it being an attack. It really does appear more likely to be a misconfigured box somewhere else pointing to what is now the "wrong IP" for some data path. And because the traffic is UDP, the sender will have no idea the data is not getting where he wants it. He will just keep sending what he was set up to send. And with UDP that is by design -- the sender just "assumes" the data got there. And by "he", I don't mean a human. I'm thinking a dumb device like maybe a dedicated point-to-point hardware device.
So assuming somebody once had a device configured to send a set of data via UDP to the IP you now have, if that device was not reconfigured to the new IP, it would still be streaming the same stuff to the old IP. Now, like @johnpoz said earlier, you would think someone at the other end of the session would notice things were not right and look into it. But who knows ???
-
@bmeeks
Yes, very thatThe issue will be over if this 'some one' will finally check the logs of his / this device, understand that some cron (?) task somewhere is using hard coded IP or domain name, and it fails now, or at least doesn't do what it should be doing.
He will update his stuff, and the issue will be gone. -
@bmeeks said in Firewall UDP ? Attack !! Or Normal ?:
I don't mean a human.
Totally agree with you, the only problem is because from so many different IPs?
-
@bingo600 @bmeeks @Gertjan @johnpoz @SteveITS
Guys, I bring you a new update, about the case...
During the weekend I am not in the office and I usually have some alerts that help me monitor the service remotely.
Well, this alert appears during Saturday morning.
Today I go back to the office, and when I check my wan (it doesn't work) for some reason it's as if my isp has disconnected me completely. (I already sent the report to my isp and they are evaluating the situation)
but this confirms once again that something is not right in that wan.
-
@silence said in Firewall UDP ? Attack !! Or Normal ?:
Today I go back to the office, and when I check my wan (it doesn't work) for some reason it's as if my isp has disconnected me completely. (I already sent the report to my isp and they are evaluating the situation)
but this confirms once again that something is not right in that wan.Huh? Causality vs. correlation. Because you seem to have strange traffic and now your ISP supposedly has cut you off that confirms anything? That's no troubleshooting or debugging, that is pure guessing and crystal ball reading
I'd check my ISP first to confirm that sth. was amiss on my line and that's why they disconnected me. Could also be just a faulty uplink, problem with the ISP itself etc. etc. All other things are just guesses and no evidence there's something not right on your WAN.
Cheers
-
@bingo600 @bmeeks @Gertjan @JeGr @johnpoz @SteveITS Updates:
Another ip range and another port equal to udp directed to my wan.
I don't want to hear the obvious, I ignore this kind of traffic alright, but what I'm looking for is to come to a conclusion, what are they trying to do?
If anyone has anything, I'm open to hearing.
-
@silence well 2096 is NBX-DIR, what that is used for - not sure.. cpanel something most likely from the info given here
https://www.speedguide.net/port.php?port=2096
-
@silence
Haha u r being hacked cuz of a misconfiguration of your firewall
Ok fair...
So now where are is the rulset and what services r u providing behind your firewallBR
NoPlan -
@noplan but........
The traffic's being..............blocked?
-
@silence what is the dest port? That is source port 2096? For all we know your generating the traffic and not allowing the answer?
I first read it as that was your IP and port.. But your hiding what port they are going to?
-
This post is deleted! -
without knowning what services he is providing behind his firewall to his clients I think we are not able to help him out, especially minding the early posts and informations (VPN inherit IP and traffic and on and on )
the next step for him will be to set up surricata and monitor this inbound WAN traffic on UDP against every avail list for the IDS/IPS system
@deanfourie yes I know that he blocked that UDP Traffic,
but he @Silence never told us what services he is providing behind his firewall so maybe this is traffic is what his clients are requesting but he is blocking (think about 200 clients as he told, so a lot of nasty stuff can happen)until there he provides us with more info lets sing all together ...
I don't practice Santeria, I ain't got no crystal ball .... -
-
@noplan said in Firewall UDP ? Attack !! Or Normal ?:
never told us what services he is providing behind his firewall
It's just my router (I don't have any services behind it)
@johnpoz said in Firewall UDP ? Attack !! Or Normal ?:
I first read it as that was your IP and port.. But your hiding what port they are going to?
destination port were random at that time.
-
@silence
have you checked you LAN ?
found this after 2 sec of looking ...
i checked some of your source IPs ...
for me with lack of coffee at the moment those sources looking like random chatter on the wire
the wired thing is they are trying to get to dest port 1987 ...
so you have to look into iteverything else is guessing
brNP -
-
@silence
So let's wrap it up
There is no attack
Get rid of that stupid rule
Mark the topic as solved
And be aware that none of your clients is going to sue you for faulty security consultingBR NP without coffee
-
-
@noplan said in Firewall UDP ? Attack !! Or Normal ?:
There is no attack
Excellent, I'll mark the issue as resolved, at the end I was informed the office is offline due to ransomware.
In short, if I had something pointing to my wan trying to achieve this, and in the end I achieved it in one way or another. But hey, none of this doesn't matter.
NOTE: Never see massive noise as normal noise