Is this a Attack ?



  • Dear All,
    lately i've seen alot of logs on the firewall from this ip 218.77.79.43
    block

    Jan 18 01:29:40	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 218.77.79.43:57651	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:80	TCP:S
    

    and

    block
    Jan 18 01:45:56	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:46:20	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:46:49	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:47:54	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:47:58	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 192.168.2.254	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 224.0.0.1	IGMP
     block
    Jan 18 01:48:23	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:48:23	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:48:26	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:48:33	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:48:45	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:49:10	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
     block
    Jan 18 01:49:39	WAN	 Icon Reverse Resolve with DNS  Icon Easy Rule: Add to Block List 76.187.41.69:30792	 Icon Reverse Resolve with DNS  Icon Easy Rule: Pass this traffic 10.10.10.1:6045	UDP
    

    any suggestions if this a kind of attack or not ?


  • Moderator

    https://www.google.ca/search?q=who+is+218.77.79.43&hl=en-US&gws_rd=cr,ssl&ei=Bgu7VJ6jOIWryATfg4KICA

    It's an IP from China.
    If you have any open Wan ports you should enter it in a firewall blocklist.


  • LAYER 8 Global Moderator

    Attack??  Its a few packets of udp noise..  Why your seeing it to rfc1918 address seems a bit strange.. Are you behind a double nat?

    That is your typical noise, sure and the hell is not an attack..  Its already blocked - what are you worried about?  Do you not want it logged?  The internet is a wild wild west of packets, you will see all kinds of shit ;)



  • @johnpoz:

    Attack??  Its a few packets of udp noise..  Why your seeing it to rfc1918 address seems a bit strange.. Are you behind a double nat?

    That is your typical noise, sure and the hell is not an attack..  Its already blocked - what are you worried about?  Do you not want it logged?  The internet is a wild wild west of packets, you will see all kinds of shit ;)

    thank you for your answer :) and about the kind of shit stuff  ;)

    yes i am behind double nat ,
    ISP Modem >>>Pfsense>>>>Machines
    i was worried but with your answer i am not anymore.
    because i've seen on the internet the IP i mentioned was attacking alot sources on the internet.
    because i am behind double nat its a normal behaivor that it logged on the RFC1918 ?



  • Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.

    I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.

    I know people are just forever chewing on my vpn servers, presumably trying to get in.

    As long as they are not having any success, I don't worry over it.  Its bound to happen that people try.  They are bored apparently.


  • LAYER 8 Global Moderator

    The udp stuff is quite often just torrent noise, your ip was in a swarm maybe - etc..  I sometimes just setup a rule for udp so its not logged.

    Here some hits to telnet..  So what its not open, firewall dropped it as it should..  Your going to see that all day long, all the time.. Unless its 1,000 or hundreds of thousands of packets a second who cares ;)




  • @kejianshi:

    Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.

    I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.

    I know people are just forever chewing on my vpn servers, presumably trying to get in.

    As long as they are not having any success, I don't worry over it.  Its bound to happen that people try.  They are bored apparently.

    Thank you so much for your answer, i am trying to understand when they are succeced / if they are succeced.
    the only behaivor i am gonna notice is a lot outbound bandwidth will be used.
    i'll monitor that from time to time.



  • @Jamerson:

    @kejianshi:

    Really, you don't need to worry to much about people banging at the doors as long as your pfsense is set up either plain default which is secure or otherwise configured properly.

    I'd not ever get worried unless I say alot of unexplained outbound bandwidth being used.

    I know people are just forever chewing on my vpn servers, presumably trying to get in.

    As long as they are not having any success, I don't worry over it.  Its bound to happen that people try.  They are bored apparently.

    Thank you so much for your answer, i am trying to understand when they are succeced / if they are succeced.
    the only behaivor i am gonna notice is a lot outbound bandwidth will be used.
    i'll monitor that from time to time.

    @johnpoz:

    The udp stuff is quite often just torrent noise, your ip was in a swarm maybe - etc..  I sometimes just setup a rule for udp so its not logged.

    Here some hits to telnet..  So what its not open, firewall dropped it as it should..  Your going to see that all day long, all the time.. Unless its 1,000 or hundreds of thousands of packets a second who cares ;)

    thank you for your explain as always !
    appreciate you guys !


  • LAYER 8 Global Moderator

    " i am trying to understand when they are succeced / if they are succeced."

    Are you logging passed traffic?  Your not going to see anything in the logs if they get in ;)  But default rule is BLOCK.. So unless you forwarded traffic - where are they going?



  • @johnpoz:

    " i am trying to understand when they are succeced / if they are succeced."

    Are you logging passed traffic?  Your not going to see anything in the logs if they get in ;)  But default rule is BLOCK.. So unless you forwarded traffic - where are they going?

    yes i am logging the pass traffic,
    i mean the pfsense has been hacked, is there is some behaivor i am supposed to notice ?



  • I receive about 19 packets per second 24/7 of blocked traffic on my residential line. You're getting one every tens of seconds. You're very unlikely to get hacked if you block WAN traffic to your web interface. The administrative web server is the biggest liability by far.

    The firewall itself is quite hardended. Anyone with the ability to "hack" the FreeBSD firewall will have much bigger targets to use their 0-day exploit on.



  • @Harvy66:

    I receive about 19 packets per second 24/7 of blocked traffic on my residential line. You're getting one every tens of seconds. You're very unlikely to get hacked if you block WAN traffic to your web interface. The administrative web server is the biggest liability by far.

    The firewall itself is quite hardended. Anyone with the ability to "hack" the FreeBSD firewall will have much bigger targets to use their 0-day exploit on.

    my pfsense is not accessible over the WAN at all,
    the only port is facing the WAN is the Openvpn port, others are drop/reject

    thank you


Log in to reply