Denied protocols

It is good to keep an eye on what protocols are currently denied by the firewall. New protocols may indicate a new vulnerability and you may want to be aware about it even though the protocol was denied. Put it this way, the firewall might try to make you aware of this new attack. So, let’s look at our report, the Denials section:

UDP/67 – This is just some DHCP broadcast received on the external interface. Normally you shouldn’t see this, what is a device doing sending DHCP requests on the public segment? If your ISP is ok, they should look into this.

UDP/2001 – This is a broadcast against … not too much information about this (actually none). We will keep researching.

ICMP/8 – A regular ping. I guess one can expect a certain number of pings.

TCP/113 – Ident, used by several mail servers for an optional authentication. In our case it came from a known mail server so it’s ok.

ICMP/3 – Unreach – just shows that a host tried to use a certain protocol that is not serviced by the firewall so an “unreachable” message was returned. May indicate probes against the published IPs.

UDP/137 – A denied broadcast from an internal host. We know about this one, it’s ok.

TCP/25 – SMTP – we have blocked a list of nasty spam servers from even trying to contact our computers.

UDP/33435 and UDP/33436 – These are used by traceroute. As with ping one can expect some traceroute traffic.

UDP/49153 – Not much about this one either. Maybe used by a game server? Conections came from 2 different servers so it must be something used on several computers, not just a custom app.

TCP/8080 – Commonly used by proxy servers. We see this computer trying this protocol every 5 seconds, most probably a misconfigured one.

UDP/1434 – Used for MS SQL management, a broadcast indicates some computer looking for SQL servers.

That’s about it. We will keep an eye on those UDP ports.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: