Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 4793 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unknown "internal" hostname

Pandora

We have a strange hostname in our weekly UTM reports:

10.10.21.4

 

While our Network has a different ip range.

we are concerned about the amount of traffic to and from this host.

I can not ping this host, not traceroute.

If i look at the network usage report then i see our UTM's internal IP-address on the Top 10 clients list:

IPS log:

2018:01:29-10:09:11 ulogd[7258]: id="2103" severity="info" sys="SecureNet" sub="ips" name="SYN flood detected" action="SYN flood" fwrule="60012" initf="eth0" srcmac="c8:cb:b8:da:34:00" dstmac="00:1a:8c:f0:0f:40" srcip="10.10.1.220" dstip="10.10.21.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="41123" dstport="80" tcpflags="SYN"
2018:01:29-10:09:11 ulogd[7258]: id="2103" severity="info" sys="SecureNet" sub="ips" name="SYN flood detected" action="SYN flood" fwrule="60012" initf="eth0" srcmac="c8:cb:b8:da:34:00" dstmac="00:1a:8c:f0:0f:40" srcip="10.10.1.220" dstip="10.10.21.4" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="41124" dstport="80" tcpflags="SYN"

My question is:

How to trace this unknown hostname?



This thread was automatically locked due to age.
  • 0

    This is a strange case.  Given the MAC addresses, it looks like your UTM is running on Hewlett Packard hardware and trying to communicate with a Sophos device.  Is one of your Sophos wireless APs having a problem?  If not, ...

    My guess would be a mistake in a NAT rule or static route...  In 'Network Definitions', search on 10.10.21.4.  When you find that object, click on the blue button to the right with the question mark in it.  In each of the places where it is used, search for the Host.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Dear Bob,

    Can't find this IP-address.

    We use our core switch as default Gateway.

    I have traced the MAC-address of this host, one of our Procureve Swithes in our Client Vlan/range.

    It's very strange, this switch shows no any sign of large data utilization or connections.

    For now i have blocked all connections to and from this source. The concurrent connections are dropped down:

    We are worried about it.
    Could it be a DDOS attack?

     

  • 0 in reply to Pandora

    I bet you're right that there's an infected device inside your LAN that is causing this problem.  I've not seen this before though, so I have no ideas.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML