This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network Protection stats

so this my stats from the UTM

how do I find out if these are from within the network going outwards i'm just worried that there could be something going off that needs my attention, we block alot of ad web traffic as we don't allow staff to click on ad links but that's by the by BUT just wondering how i could find out where e.g the request for startedtop.com is coming from or could it be that when browse the web whatever server the site is hosted on our firewall is blocking it ?



This thread was automatically locked due to age.
Parents
  • I think that the host/IP names with the "PC" icon are clients on your LAN, and the UTM is using the host names of them in the reporting. And the domains/IP with the country flags are incoming packets from the internet that are being dropped.

    A reverse DNS lookup of startedtop.com reveals nothing.

    "Host startedtop.com not found: 3(NXDOMAIN)"

Reply
  • I think that the host/IP names with the "PC" icon are clients on your LAN, and the UTM is using the host names of them in the reporting. And the domains/IP with the country flags are incoming packets from the internet that are being dropped.

    A reverse DNS lookup of startedtop.com reveals nothing.

    "Host startedtop.com not found: 3(NXDOMAIN)"

Children
  • Hello Kevin,

    I am reading this on my homelab like this:

    So these are "Dropped Source Hosts" , if I am interested in line 3 for instance, then I click on that button in the upper right as shown in my screenshot above. You are then presented the GUI-View of the logs:

    You can click on that row of interest and get a new detail view:

    Obviously somebody is scanning the outside of my firewall from an aws instance. Research completed. This happens a hundred maybe a thousand times a day and that's what a firewall is for: to drop them.

    Our company friewalls are often hit by recyber.net like yours, you can go there and opt-out from their research project, if you don't like that.

    The rest is your internal clients, you could go into "dropped destination services" to find out  what is happening here and then try to shut down the root cause of these requests. Otherwise you just have to live with the number of these drops.

    For me I would like to know, when some internal clients have more than a thousand drops a day and would investigate this. Maybe something is misconfigured or simply unneeded.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • That is OK for hosts that have a resolvable IP address, but what about the domain name like "startedtop.com" that is unresolvable by DNS lookup, and doesn't appear anywhere in the logs.

    You mentioned recyber.net as an example. I myself have scoured my logs and there is no log that mentions that specific domain anywhere.

    A DNS lookup in Support>Tools>DNS Lookup returns not found.

    Trying "recyber.\173net"
    
    Host recyber.\xADnet not found: 3(NXDOMAIN)

    When doing the DNS lookup from the web it did find the IP:
    Type Domain Name TTL Address
    A recyber.net 300
    104.21.18.133

    Owner: CloudFlare Inc. WHOIS AS13335


    IP blocked by dnsbl.spfbl.netMore

    A recyber.net 300
    172.67.181.221

    Owner: CloudFlare Inc. WHOIS AS13335


    IP blocked by dnsbl.spfbl.netMore

    I have scanned my firewall logs for both of these IP addresses (104.21.18.133, 172.67.181.221) which is a  result of a DNS lookup for the domain recyber.net, but not one entry shows up. My point is that it's hard to diagnose what the source IP of these blocked packets are or the exact time it was logged. The original posted wanted to know the source of startedtop.com, but it remains a mystery as it appears the UTM does not log it, yet it appears as a dropped source host?