Proxy Attack?

I review the Dimension logs every morning, when I get to the office. This morning, I think that I uncovered an attempted Proxy Attack. All the activity is on port 80 and starts with an apparent connection to http://azenv.net, which is not associated with my IP public address. There is a later attempt to go to http://www.google.com:443. All of these packets are allowed by the Firebox.

The reason for the 203.0.113.10 addresses is that the DMZ firewall is behind another one. The source IP address, 20.185.221.226, is Microsoft.

Here are the log entries for the three second period:

2020-07-29 03:36:40 FWAllow, Allowed, pri=4, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, dst_ip_nat=172.30.78.7, src_intf=0-External, dst_intf=3-DMZ, rc=100, pckt_len=52, ttl=105, pr_info=offset 8 S 2103205826 win 32, 3000-0148, geo_src=USA

2020-07-29 03:36:40 ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=525, proxy_act=HTTP-Server.Standard.WEB, rcvd_bytes=12003, sent_bytes=172, elapsed_time=0.005369 sec(s); op=GET, dstname=azenv.net, arg=/, 1AFF-0024, src_ctid=ffff8008734bf900; dst_ctid=ffff8008734bf900; out_port=60255; srv_ip=172.30.78.7; srv_port=80, geo_src=USA

2020-07-29 03:36:40 ProxyMatch, ProxyAvScan: HTTP Content Type match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=599, proxy_act=HTTP-Server.Standard.WEB, rule_name=Default, content_type=text/html, 1AFF-0018, geo_src=USA

2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=Proxy-Connection: Keep-Alive\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA

2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=Host: azenv.net\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA

2020-07-29 03:36:40 ProxyMatch, ProxyAllow: HTTP header match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=590, proxy_act=HTTP-Server.Standard.WEB, header=User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0\x0d\x0a, rule_name=Default, 1AFF-001B, geo_src=USA

2020-07-29 03:36:40 ProxyMatch, ProxyReplace: HTTP Content Action redirect, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=591, proxy_act=HTTP-Content.Standard.CNWeb, 1AFF-003A, redirect_action=HTTP-Server.Standard.WEB; srv_ip=172.30.78.7; srv_port=80, geo_src=USA, client_ssl=NONE; server_ssl=NONE

2020-07-29 03:36:40 ProxyMatch, ProxyReplace: HTTP Request content match, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60255, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=591, proxy_act=HTTP-Content.Standard.CNWeb, rule_name=Default, dstname=azenv.net, arg=/, 1AFF-003B, srv_ip=172.30.78.7; srv_port=80; redirect_action=HTTP-Server.Standard.WEB, geo_src=USA

2020-07-29 03:36:42 ProxyHTTPReq, HTTP request, pri=6, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=525, proxy_act=HTTP-Content.Standard.CNWeb, rcvd_bytes=0, sent_bytes=91, elapsed_time=0.000266 sec(s); op=CONNECT, dstname=www.google.com:443, arg=, 1AFF-0024, src_ctid=ffff8008734bf480; dst_ctid=ffff8008734bf480; out_port=60707; srv_ip=172.30.78.7; srv_port=80, geo_src=USA

2020-07-29 03:36:42 ProxyMatch, ProxyDeny: HTTP request method match, pri=6, disp=Deny, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, src_intf=0-External, dst_intf=3-DMZ, rc=595, proxy_act=HTTP-Content.Standard.CNWeb, method=CONNECT, rule_name=Default, 1AFF-001A, geo_src=USA

2020-07-29 03:36:43 FWAllow, Allowed, pri=4, disp=Allow, policy=HTTP-proxy.WebServer-00, protocol=http/tcp, src_ip=20.185.221.226, src_port=60707, dst_ip=203.0.113.10, dst_port=80, dst_ip_nat=172.30.78.7, src_intf=0-External, dst_intf=3-DMZ, rc=100, pckt_len=52, ttl=106, pr_info=offset 8 S 2129274828 win 32, 3000-0148, geo_src=USA

There is no other activity from this IP address on port 80 or port 443.

A few questions:
1. What is src_ctid=ffff8008734bf480; dst_ctid=ffff8008734bf480?
2. Was this attack successful or was it just a probe?
3. Any other thoughts?

Adrian from Australia

Comments

Sign In to comment.