All-
I am seeing in the packet filter log a very large amount of inbound unsolicited traffic from to amazon servers in Singapore:
ec2-54-251-46-51.ap-southeast-1.compute.amazonaws.com
ec2-54-251-46-87.ap-southeast-1.compute.amazonaws.com
| 2016:12:28-19:08:04 | oasis | ulogd[7223]: | id="2021" | severity="info" | sys="SecureNet" | sub="packetfilter" | name="Packet | dropped | (GEOIP)" | action="drop" | fwrule="60019" | initf="eth0" | srcmac="40:a6:77:46:ff:c2" | dstmac="00:24:7e:00:c1:82" | srcip="54.251.46.51" | dstip="100.14.227.105" | proto="6" | length="52" | tos="0x00" | prec="0x00" | ttl="56" | srcport="80" | dstport="56639" | tcpflags="ACK | FIN" |
| 2016:12:28-20:18:27 | oasis | ulogd[7223]: | id="2021" | severity="info" | sys="SecureNet" | sub="packetfilter" | name="Packet | dropped | (GEOIP)" | action="drop" | fwrule="60019" | initf="eth0" | srcmac="40:a6:77:46:ff:c2" | dstmac="00:24:7e:00:c1:82" | srcip="54.251.46.87" | dstip="100.14.227.105" | proto="6" | length="52" | tos="0x00" | prec="0x00" | ttl="56" | srcport="80" | dstport="58532" | tcpflags="ACK | FIN" |
Logging shows repetitive connection attempts beginning on 12/28/2016 at 19:08:04 and running with small breaks on the same data until 23:36:47. All times are eastern. While I think this is unsolocited traffic, the question becomes it this activity related to normal UTM operation for up2date in addition to webproxy updates? I realize this is blocked by geoip. What corrective action can be taken? A should note this is a home UTM with no user activity during that time. Thank you in advance for your help. Jim
This thread was automatically locked due to age.
