This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Any experience with an excessive number of ThunderVPN hits?

I recently set up a new XG firewall at our main branch location in order to assist with IPS and application control service. I am currently using the "Block high risk (Risk Level 4 and 5) apps" setting for app control.

What I am noticing is a large amount of ThunderVPN hits on our network, and I'm at a bit of a loss on what could be causing this traffic. I'm glad they are being blocked, but I wanted to see if anyone had any experience with this and what might be utilizing this service.

Our entire network consists of Dell workstations and the traffic is coming from various IP addresses, not just one machine.

Thanks in advance for any information!

This thread was automatically locked due to age.

Top Replies

Andy S over 2 years ago in reply to emmosophos +2

Confirmed latest pattern update 18.18.62 appears to have resolved the issue, "offending" services have need re-enabled and no further hits int the logs (possibly since the previous update on 12th Oct?…

Parents

0 Arie over 2 years ago

Another piece of information, based on the Reports sections:

Risk: 5
Category: Proxy and Tunnel
Application/proto:port: Thunder VPN
Destination: 144.195.32.47      240 MB
             198.251.234.113    69 MB
             144.195.7.7        9 MB
             144.195.59.144     120 MB
             147.124.123.171    66 MB

Those addresses all seem to belong to Zoom:

144.195.32.0/24
AS30103 Zoom Video Communications, Inc

Reply

0 Arie over 2 years ago

Another piece of information, based on the Reports sections:

Risk: 5
Category: Proxy and Tunnel
Application/proto:port: Thunder VPN
Destination: 144.195.32.47      240 MB
             198.251.234.113    69 MB
             144.195.7.7        9 MB
             144.195.59.144     120 MB
             147.124.123.171    66 MB

Those addresses all seem to belong to Zoom:

144.195.32.0/24
AS30103 Zoom Video Communications, Inc

Children

0 LuCar Toni over 2 years ago in reply to Arie

I am using Zoom on a daily basis but only saw those Thunder VPN entries once (22.07).

If i join a new meeting, it never gets classified in this category (anymore). Also those are odd time stamps for a zoom meeting (15:53, 11:08, 19:55, 21:09.).

Most likely i join a meeting on time or 1-2 minutes earlier.

It is always NTP Port 123 to Zoom. And i am not sure, when this traffic will be generated.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 2 years ago in reply to LuCar Toni

Seen this with NTP requests from IoT Devices within my HomeLab.

Running Version SFOS 18.5.1 MR-1-Build318

Can't create a case (Home License) but are able to provide captured traffic ... or device access.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to dirkkotte

If you could share conntrack, tcpdump and Logviewer/Report screenshot of this traffic, this would be good.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to LuCar Toni
logviewer of blocked IP4 and IPv6

Removed not required data to shorten the thread.

Connection

IP4

Ian
XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to rfcat_vk

I need the conntrack, tcpdump and the Screenshots.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

0 rfcat_vk over 2 years ago in reply to LuCar Toni

Hi,

tcpdump follows. Screenshots of what?

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode      
listening on Port3, link-type EN10MB (Ethernet), capture size 262144 bytes      
09:36:51.040891 Port3, IN: IP 10.10.10.5.123 > 139.99.222.72.123: NTPv4, Client,
 length 48                                                                      
09:36:51.057266 Port3, OUT: IP 139.99.222.72.123 > 10.10.10.5.123: NTPv4, Server
, length 48                                                                     
09:37:15.087817 Port3, OUT: IP 10.10.10.1.123 > 10.10.10.5.123: NTPv4, Client, l
ength 48                                                                        
09:37:15.088234 Port3, IN: IP 10.10.10.5.123 > 10.10.10.1.123: NTPv4, Server, le
ngth 48                                                                         
09:37:15.092868 Port3, OUT: IP 10.10.10.1.213 > 10.10.10.5.123: NTPv4, Client, l
ength 48                                                                        
09:37:15.093135 Port3, IN: IP 10.10.10.5.123 > 10.10.10.1.213: NTPv4, Server, le
ngthd 48                                                                         
09:37:20.172128 Port3, OUT: IP 10.10.10.1.56304 > 10.10.10.5.123: NTPv4, Client,
 length 48                                                                      
09:37:22.182016 Port3, OUT: IP 10.10.10.1.59711 > 10.10.10.5.123: NTPv4, Client,
 length 48                                                                      
09:37:24.183132 Port3, OUT: IP 10.10.10.1.64955 > 10.10.10.5.123: NTPv4, Client,
 length 48                                                                      
09:37:24.183489 Port3, IN: IP 10.10.10.5.123 > 10.10.10.1.64955: NTPv4, Server, 
length 48                                                                       
09:37:26.040848 Port3, IN: IP 10.10.10.5.123 > 162.159.200.123.123: NTPv4, Clien
t, length 48                                                                    
09:37:26.045777 Port3, OUT: IP 162.159.200.123.123 > 10.10.10.5.123: NTPv4, Serv
er, length 48                                                                   
09:37:28.383278 Port3, OUT: IP 10.10.10.1.64915 > 10.10.10.5.123: NTPv4, Client,
 length 48                                                                      
09:37:30.402537 Port3, OUT: IP 10.10.10.1.59792 > 10.10.10.5.123: NTPv4, Client,
 length 48                                                                      
09:37:32.408529 Port3, OUT: IP 10.10.10.1.63729 > 10.10.10.5.123: NTPv4, Client,
 length 48     

Ian

conntrack does not show any results for either dport or sport ump 123
the real problem in catching the packets that fail because not all traffic is mis classified.

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.

0 rfcat_vk over 2 years ago in reply to rfcat_vk

Hi,

I haven't seem any thundervpn reports in logviewer since I upgraded the v18.5.1 MR-1 build 326 so in summary looks like IP4 might have been fixed, but not IPv6, I am still seeing manual proxy surfing in the IPv6 traffic.

The upgrade was over 4 hours ago.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Peter-Paul Gras over 2 years ago in reply to rfcat_vk

That's interesting. I upgraded to build 326 yesterday and am still seeing the Thunder VPN / port 123 reports in the Application filter log.

SFVH (SFOS 20.0.0 GA-Build222) - Last (re)boot on November 6th 2023

Asus H410i-plus - Pentium 6605 Gold - 250GB M.2 PCIe NVMe SSD - 8GB - 3 ports

[If any of my posts are helpful to you please use the 'Verify Answer' link]
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 2 years ago in reply to Peter-Paul Gras

Hi,

you are correct, they are still occurring. The is a 3.5 hour gap where none were reported, strange.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 2 years ago in reply to rfcat_vk

I need a pcap file of this traffic to provide the file to labs.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel