Posts Tagged ‘cisco pix log analysis’

Strange denials for UDP/48010 and UDP/48014

March 18, 2010

We continue to see quite a few TCP/135 (MS RPC) probes from China-based computers. Each IP address is recorded with just one probe on that port so most probably, these are PCs infected with various viruses, no determined hackers behind them. This is to be expected, however it is good to see that there are fewer and fewer US-based probes.

The bulk of the traffic is of course, HTTP, with approx. 7 GB. The top IP address generating web traffic is 208.68.224.23. While there is no reverse host name configured for this IP, the organization is listed as Atrion Networking (http://www.atrion.net/). This IP alone, downloaded close to 600 MB of data and for a webserver with no big files to download, this is a very large amount of data. Atrion seems to be a telecom company so it is possible that this is a proxy server, actively downloading content from visited sites.

The typical Google, Yahoo, MS and Yandex.ru bots are coming next and again, this is to be expected. For a public webserver this is good – it means that your website is getting indexed in all these search engines, increasing the visitors to the site. Even if they put a certain load on the server, one should not block them!

The traffic vs. denial graph, allows a quick check on any anomalies (i.e. unusual spikes in denials may indicate a concentrated attack against the server). So, a green “mountain” with a matching low profile, denials curve is just what you want to see.

 There are quite a few denied connections for UDP/48010 and UDP/48014 (and some TCP/48014 connection attempts). Searching Google and the SANS Internet Storm Center, did not reveal any useful information which is a bit strange. Could this be something specific to our server? For example, a whois query from our application may cause a reply on UDP/48010 from the targeted IP and all the UDP traffic is rejected by our firewall (and the denials would end up recorded in the logs). We will have to replicate a query to one of those IPs and monitor the traffic going back and forth outside the firewall between our server and that IP address. One can use Ethereal (a free network protocol analyzer) to perform this task. The past reports do not contain this type of denials so it could simply be a new vulnerability that we have to keep an eye on. Fortunately, our server has all the recommended patches and hotfixes.

For a sample FireGen for Pix Log Analyzer report go to http://www.eventid.net/firegen/sample-2005-08-31-110059-ondemand.html

Advertisements