Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 3972 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intrusion Detection for dropped packets

Kipland Iles

Sophos UTM 9 model SG230 firmware version 9.411-3.

In the past we have had a lot of issues on this firewall with DDOS attacks on our DNS servers. Those DNS servers are long gone and I have added a WAN firewall rule to drop any TCP/UDP port 53 traffic to those two public IP addresses. While I do see a significant traffic reduction in the Network Graphs for the WAN I still see a lot of messages related to UDP flood detected. All of these log entries still reference the two public IP addresses where port 53 was blocked.

Why are these still being reported if the traffic is blocked? I notice I can only reference "internal" networks when configuring IPS. 

My configuration ...

Global policy includes two internal networks and policy is "drop silently".



This thread was automatically locked due to age.
Parents
  • 0

    the global policy settings are necessary for the snort engine.

    IPS pattern use packet direction  "out->in"   "in->in"   "in->out"  to check the applicability of a rule.

    the flood protection drop packets before these reach the packetfilter/statefull engine/NAT engine/... to protect the system.

    Bob (BAlfson) has a great explanation of packet flow. But i have the link at the moment.

       


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    dirkkotte said:
    the flood protection drop packets before these reach the packetfilter/statefull engine/NAT engine/... to protect the system

    Thanks . That explains the IPS logging. Will want to read  packet flow explanation.

    Part of the reason for reaching out on this is that we incurred some additional bandwidth usage charges at the datacenter because of these DDOS attacks. I noticed that our WAN bandwidth usage dropped significantly after applying the new firewall rule but that does not stop the attackers from trying and being turned away. It apparently keeps IPS busy, as well. Perhaps some adjustment to IPS will help prevent them from coming back for more - similar to Fail2Ban that I use on my load balancers.

  • 0 in reply to Kipland Iles

    I think you want #2 In Rulz, Kipland.  You will see from that that the way to drop the traffic before everything else is a blackhole DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Kipland Iles

    I think you want #2 In Rulz, Kipland.  You will see from that that the way to drop the traffic before everything else is a blackhole DNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML