Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 15304 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to Drop Incoming HTTP Traffic to External WAN

Derek Preston

Our External WAN is being bombarded by Gigabits of incoming WWW-HTTP traffic that I can not drop with Firewall Rules.

I've looked through Country Blocking Exceptions, Automatic NAT Rules, Proxies (Web, SMTP, Application Control, VPNs, etc) and unable to locate any exceptions that may be allowing this traffic that is causing high latency and congestion on our External WAN. Our RED Networks are especially affected.

This bombardment of WWW-HTTP traffic began within the past two days and is constantly occurring.  Furthermore, the IP addresses that are causing this traffic are also showing up in the IPS logs and causing the following alerts

 

2017:10:12-08:22:39 sophos snort[28745]: S5: Session exceeded configured max bytes to queue 1048576 using 1055824 bytes (client queue). blanked 56127 --> 8.249.99.254 80 (0) : LWstate 0x9 LWFlags 0x6007
2017:10:12-08:23:00 sophos snort[28745]: S5: Session exceeded configured max bytes to queue 1048576 using 1053826 bytes (client queue). blanked 56407 --> 8.249.99.254 80 (0) : LWstate 0x9 LWFlags 0x6007
2017:10:12-08:23:10 sophos snort[28739]: S5: Session exceeded configured max bytes to queue 1048576 using 1052186 bytes (client queue). blanked 33135 --> 67.24.105.254 80 (0) : LWstate 0x9 LWFlags 0x6007
2017:10:12-08:23:17 sophos snort[28745]: S5: Session exceeded configured max bytes to queue 1048576 using 1058162 bytes (client queue). blanked 56443 --> 8.249.99.254 80 (0) : LWstate 0x9 LWFlags 0x6007
2017:10:12-08:23:20 sophos snort[28739]: S5: Session exceeded configured max bytes to queue 1048576 using 1050082 bytes (client queue). blanked 33174 --> 67.24.105.254 80 (0) : LWstate 0x9 LWFlags 0x6007
2017:10:12-08:23:28 sophos snort[28739]: S5: Session exceeded configured max bytes to queue 1048576 using 1052730 bytes (client queue). blanked --> 67.24.105.254 80 (0) : LWstate 0x9 LWFlags 0x6007

 

Here's are some IFTOP results of the traffic:

Any insight on why I can't drop this traffic would be appreciated.

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    I was able to circumvent the excessive HTTP traffic.

    In general, a packet arriving at an interface is handled only by one of the following, in order:
    DNATs first, then VPNs and Proxies and, finally, manual Routes and Firewall rules.


    I used a DNAT rule like: 'DNAT : {Group of bad IPs} -> HTTP-> External (WAN) (Address) : to {non-existant IP}'

    I'm happy to say that no longer are we seeing RX transfer rates of 200Mbps or more and back down to the normal 10Mbps or less range.

    Also, the "Session exceeded configured max bytes to queue 1048576 using 1055824 bytes (client queue)" IPS events stopped.

     

    This is a good enough work around for now until these IP addresses give up trying:

    13.107.4.50

    69.16.164.31

    151.139.128.10

    8.254.250.126

    205.185.216.42

    8.253.185.229

    72.21.81.240

    67.24.97.254

    205.185.216.10

    67.24.107.254

    8.253.185.121

    67.24.99.254

    67.24.121.254

    67.24.123.254

    8.254.250.190

    67.24.105.254

    8.253.185.249

    8.253.131.121

    8.254.220.174

  • 0 in reply to Derek Preston

    Here's some evidence that the DNAT rule is intercepting this HTTP traffic.

Reply Children
Unfiltered HTML