Odd logs... what's going on?

[jenlion]

I checked the logs of a client I hadn't visited in a long time and found some interesting patterns. Went back and ran the whole year (all 300MB of log) and some strange things have shown up.

From IP addresses all over the globe, this client gets hit at exactly the same time, down to the second. Three high random ports (different ones for each different IP address hitting it), two DNS tries, over and over. It also claims to be hitting the filtered-http rule, rather than blocked by default. I don't spend a lot of time on this, so I don't know why. This has my attention though. Here are some examples:

Denied Service, incoming, 1/23/2003 9:58:44 AM, 66.28.255.130, (MyClient'sIP), 6336/"Denied service Filtered-HTTP"

Denied Service, incoming, 1/23/2003 9:58:54 AM, 63.218.7.130, (MyClient'sIP), 1871/"Denied service Filtered-HTTP"

Denied Service, incoming, 1/23/2003 9:58:54 AM, 213.61.6.2, (MyClient'sIP), 46260/"Denied service Filtered-HTTP"

Everything's the same except the source IP and the port number. Also note the 255 in that first address. Spoofed? I don't know. I've got at least a dozen, probably more, sources that do this at the same time, from january through July with a break from may 16 - july 18. They mostly seem to be legitimate IPs. Most respond to pings, though not all. They don't seem to have anything obvious in common (ie, all IIS or something), though I'm not done looking yet.

There are hundreds of records from each IP that hits the box. Some of them pick up later -- for example, one starts in the middle of February, rather than Jan 23. Looks like zombies, but I don't know what they're doing, or how they get things down to the second every single time. I don't know a lot about this stuff, but I'm learning. I've dumped it all into Access so it's easy to query. Does anyone recognize this??

Thanks

 

[Ntr0P]

I wouldn't call those entries strange, that would be your firewall doing it's job (welcome to the Internet). You will see messages denying traffic based on the default rule (allow nothing except that which is explicitly defined) only when another rule for the incoming traffic does not exist. For example, Filtered-HTTP in your logs above. You have a Filtered-HTTP rule that is configured to deny certain/all incoming traffic, thus that rule does the denying.

It's good to check your FB logs frequently. Take advantage of the ability to have the log host notify you of certain events as well. For instance, I have a notification event configured whenever there is SMTP traffic going outbound that did not originate from my mail server. Notification of what is allowed out is just as useful or more than what is denied in sometimes. There are many others you can configure, but you get the picture...

 

[jenlion]

The thing that I find odd, though, is that from dozens of IP addresses at the same time, I get the exact same thing, over and over again, down to the second.

I do have certain email notifications set up. I check my own WG at my full time job every day -- have the report print overnight so I can read it first thing for the previous day -- then again on a monthly basis to look for patterns I might miss in a single day. Since I don't visit this old client often, I don't monitor their logs. (I told them how, but they really don't care, nor do they have anyone there who would begin to understand what they are looking at).

So, the oddness to me is in the fact that I have simultaneous records from dozens of IP addresses all over the world doing exactly the same thing: 3 http, 2 DNS, 3 http, 2 DNS, until the pattern changed in May to 2 http, 2 DNS. For every single person.

The reason I wonder about that rule -- seems like the FB would only reject HTTP on 80, since that's all I've got it set up for. Usually, if someone tries to hit a port I don't have any specific rule for, it says Denied (default) -- basically, it's not specifically allowed, therefore it is denied.