We'd love to hear about it! Click here to go to the product suggestion community
I'm getting this alert from the UTM 9 firewall:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name....: C2/Generic-A
Time...........: 2019-04-10 07:49:07
Traffic blocked: yes
Source IP address or host: 220.127.116.11
Here is the ATP Entry:
2019/04/aptp-2019-04-09.log.gz:2019:04:09-23:39:29 utmho ulogd: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth4" threatname="C2/Generic-A" srcmac="00:10:36:00:59:09" dstmac="00:1a:8c:58:b0:74" srcip="18.104.22.168" dstip="22.214.171.124" proto="6" length="40" tos="0x00" prec="0x00" ttl="60" srcport="5060" dstport="59643" tcpflags="ACK RST"
I'm not sure what to make of it as neither IP address is a private address on the network and it was detected in eth4 which is the ISP.
The other information that is making me look at this more seriously is the dstip 126.96.36.199 has been banging against the firewall for about 30 days with no success.
I'm hoping someone can help me unravel what/why is going on.
I am seeing the same thing with a source of our ISP block of address to destination 188.8.131.52. Anyone have any information?
In reply to Donna Hoffman:
I'm seeing the same as well. Our external wan address as the source and 184.108.40.206 as the destination
In reply to PeterWeston:
Hi Peter and Donna and welcome to the UTM Community!
According to https://centralops.net/co/DomainDossier.aspx, 220.127.116.11 reverse resolves to an FQDN on the packet.tel domain. You can email email@example.com to ask packet.tel to stop scanning your public subnets.
Cheers - Bob
In reply to BAlfson:
we have the same ATP messages from the same IP. Seems like packet.tel is doing a massive SCTP scanning.
What I do not get, and hopefully you can help me to understand,... why do I get an ATP message from the firewall with my ISP Router and my Network- and Broadcast address as source?
How I understand ATP is, that it blocks if a local machine tries to connect to a malicous IP.
Here it seems like the questionable IP is doing a SCTP scan...from the outside... Why does the firewall react like it does?
Maybe it is obvious, but right now I am a bit lost.
In reply to stu:
Hallo Stu - your first post here - welcome to the UTM Community!
Packet.tel is not a threat. They scan the internet to provide statistics about how many ports are open - that's all I know about them.
The firewall responds to the scan, but ATP blocks its response because, for a reason I ignore, this packet.tel IP is on the list of malicious actors. See Rule #2.1 in Rulz.
i've got the same alerts on a customer's UTM.
I've send an email to firstname.lastname@example.org and let you know if they exclude the ip range.