Bombarded on random ports, but then, I can make them stop

Shot in the dark in case anyone else has seen this...
Example from last night: My syslogger alerts me to an unusual amount of Unhandled External Packets. I login to the Firebox to see random non-US IP addresses attempting to come in on port 49558 (a few days ago it was port 55082), both tcp/udp. I add a policy from Any to SNAT(external->192.168.108.8), cleared "Send a Log Message" to quiet my syslogger, and in less than 6 hours, bombardment stops. The 192.168.108.8 address is my non-used internal IP I've reserved for nothing to use. Could be coincidence, but this has been happening weekly for months. Sometimes I'll let it go for days, then I'll forward external traffic from whatever high-number random port to my non-used internal IP address, and attack stops within hours. I can almost guarantee this will happen again within the next few days on a different port number.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @pkokkinis

    The firewall can deny the traffic, but it won't be able to do anything about them coming to your firewall in the first place. If you'd like to stop them completely, it may be worth contacting your ISP to see if they can help. If they have a geolocation service (for example) they can stop the traffic before it even arrives at your firewall.

    -James Carson
    WatchGuard Customer Support

  • Hi James. Thanks for the reply!
    I'm saying something else unfortunately...
    I've noticed the attacks coming in and stopping within hours when I forward them to a non-existent IP vs I do nothing and they persist for days. I've been brushing this off as a coincidence, but there's a positive correlation there. Why? I don't know. It's not like this unsolicited traffic knows when it's being forwarded to a non-existent IP and knows when it's simply being dropped by the Firebox. The next attack is due by Tuesday (maybe Wednesday at the latest). I'll let that one run until it stops on its own to mark the duration.

Sign In to comment.