Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 449 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall blocks and logs external packets with Src IP = Russia and Dst IP = internal server

mxddt

*ALL IPs ARE NOT REAL*

Hello community,

My problem is that I am not sure how to interpret a particular traffic (attack attempt) that is being blocked and logged.

I have a DNAT set up for Remote Desktop access using port mapping (I know, it's not perfect, but the client needs this particular system set up just like that):

SRC: WAN, ANY

DST: 222.222.222.222:1111

DNAT: 10.10.10.10:3389

DNAT Rule ID: 40

The other day client requested to enable some country blocking for traffic coming from China, Russia, North Korea. I did that and placed the firewall rule at the very top:

Action: BLOCK & LOG

Source: WAN, [China, Russia, N Korea]

Destination [LAN, DMZ], Any network, Any Service

Firewall Rule ID: 50

Immediately I started noticing a bunch of these "blocked entries" every 3 seconds:

Src IP: 194.194.194.194 (Russia)

Dst IP: 10.10.10.10

Dst Port: 3389

NAT Rule ID: 40

Firewall Rule ID: 50

This confused the hell out of me for the following reasons:

1) XG Firewall is inspecting the pre-NAT traffic, so how come the external packet is hitting the firewall with Dst IP = internal IP of my remote server (10.10.10.10)?

2) The log also shows a matching DNAT Rule ID = 40. How is it able to match my DNAT rule, if the DST IP of the exteranl packet is 10.10.10.10, not 222.222.222.222?

I wanted to know more so I filtered the log by this particular Source IP = 194.194.194.194 and found another set of log entries which seemed to be the beginning of the attack, lasting for 3 days, hitting the FW every 20 min (recon stage?) and all identified as INVALD PACKET:

Src IP: 194.194.194.194 (Russia)

Dst IP: 222.222.222.222

Dst Port: 1111

NAT Rule ID: 0

Firewall Rule ID: N/A

Rule Type: 0

After 3 days the invalid packets stopped coming in and the strange packets with Dst IP = 10.10.10.10 (described above) started to hot the firewall.

As far as the invalid packets, I have a theory that the attacker was resetting the handshake with the Remote Server, causing the firewall to flag the packet as Invalid. Still, the synack from the remote server contained enough info with its local IP and the listening port, resulting in direct attacks with Dst IP = 10.10.10.10 and Dst Port = 3389. Any thoughts?

More importantly, I am unclear about the logged packet with Dst IP = private non-routable IP. How did it hit the WAN in first place and how was it matched with a DNAT rule that contains Dst IP = 222.222.222.222 as criteria?

Thank you!



This thread was automatically locked due to age.