This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Traffic from ec2-54-251-46-51.ap-southeast-1.compute.amazonaws.com

All-

 

I am seeing in the packet filter log a very large amount of inbound unsolicited traffic from to amazon servers in Singapore:

ec2-54-251-46-51.ap-southeast-1.compute.amazonaws.com

ec2-54-251-46-87.ap-southeast-1.compute.amazonaws.com

 

2016:12:28-19:08:04 oasis ulogd[7223]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth0" srcmac="40:a6:77:46:ff:c2" dstmac="00:24:7e:00:c1:82" srcip="54.251.46.51" dstip="100.14.227.105" proto="6" length="52" tos="0x00" prec="0x00" ttl="56" srcport="80" dstport="56639" tcpflags="ACK FIN"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
2016:12:28-20:18:27 oasis ulogd[7223]: id="2021" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (GEOIP)" action="drop" fwrule="60019" initf="eth0" srcmac="40:a6:77:46:ff:c2" dstmac="00:24:7e:00:c1:82" srcip="54.251.46.87" dstip="100.14.227.105" proto="6" length="52" tos="0x00" prec="0x00" ttl="56" srcport="80" dstport="58532" tcpflags="ACK FIN"                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            

Logging shows repetitive connection attempts beginning on 12/28/2016 at 19:08:04 and running with small breaks on the same data until 23:36:47. All times are eastern. While I think this is unsolocited traffic, the question becomes it this activity related to normal UTM operation for up2date in addition to webproxy updates? I realize this is blocked by geoip. What corrective action can be taken? A should note this is a home UTM with no user activity during that time. Thank you in advance for your help. Jim



This thread was automatically locked due to age.
Parents
  • Jim, those are both srcport="80" - responses to HTTP requests from your network/UTM.  Can you find 54.251.46.87 in the Web Filtering log on the 28th?

    Cheers - Bob

    PS (EDIT an hour later): What do you get from the command line with

    grep '_Ip' /etc/up2date/servers.sorted.rpmsave

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    When I ran the above command line the output was -bash: grep_Ip:  command not found. I looked at the log which showed two amazon servers 54.251.46.87 and 54.251.46.87 with identical activity both located in Sinagpore. The log has 194 entries all showing the same action. Singapore is one is a number of asian countries I have blocked. Is an exception needed? I am using UTM  9.409-9 which was loaded from an ISO.

     

    Thanks,

    Jim 

  • I would have thought that the connection tracker would have allowed responses back from a device in a blocked country (Singapore) to which a request was sent.  As it is, it appears that the response takes long enough that conntrack believes the connection was closed.  From the command line, you can see what the timeouts are:

    cc get packetfilter timeouts

    I expect that one of the lines will be "ip_conntrack_tcp_timeout_fin_wait" => 120,

    I'm guessing that that might be the value in question, and you'll want to set it back to the default value once your test is done.  To set it to 300,

    cc set packetfilter timeouts ip_conntrack_tcp_timeout_fin_wait 300

    Does that cause the packets to no be blocked?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I would have thought that the connection tracker would have allowed responses back from a device in a blocked country (Singapore) to which a request was sent.  As it is, it appears that the response takes long enough that conntrack believes the connection was closed.  From the command line, you can see what the timeouts are:

    cc get packetfilter timeouts

    I expect that one of the lines will be "ip_conntrack_tcp_timeout_fin_wait" => 120,

    I'm guessing that that might be the value in question, and you'll want to set it back to the default value once your test is done.  To set it to 300,

    cc set packetfilter timeouts ip_conntrack_tcp_timeout_fin_wait 300

    Does that cause the packets to no be blocked?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

     

    The conntrack tcp time out was at 120. I reset it to 300, so now a wait and see. Thank you fot you help

     

    Thanks,

    Jim

  • Hi Bob,

     

    I received exactly the same log entries from the Singapore servers. I wll either remove Singapoer from the group of blocked countries or try to create an exemption for those amazon servers.

     

    Thanks,

    Jim

  • You know, Jim, I never use the "All" option in Country Blocking, always just "From" because of situations like this.  Were you using "All" to block Singapore?  If you had been, I would have expected that the request would have been blocked, so my guess was incorrect as to which timeout is involved here.  You might open a case with Sophos Support and let us know what they say.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    Only from Singapore was blocked. I changed the rule for Singapore to off. Hopefully it solves the issue. Thank you for your help.

     

    Thanks,

    Jim