I've been consistantly getting 1000's of syslog messages (severity 3) like this:
106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.245/137
106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.163/137
106011 Deny inbound (No xlate) udp src outside:x.x.x.26/1025 dst outside:y.y.y.194/80
The outside source x.x.x.x address changes about every 5 hits. They are trying to reach my destination y.y.y.y addresses only on ports 137 and occationally port 80. The group of 5 hits are only a few seconds apart. And the next group hits about 5min to 10min later. Oh... the source addresses are real and PINGable. This has been going on for weeks. Any ideas on how to approach this? Thanks in advance.
Do you have an application that you want to serve to the Internet on port 137? It is the standard MS NetBIOS port. Chances are someone out there has a misconfigured Windows box that is pointed your way. If your security policy is to not allow NetBIOS connections from the Internet (a wise idea) I would put an ACL on your upstream router blocking all access to your network from the Internet at UDP port 137. I wouldn't even bother logging this at the router. Just drop it.
Technically UDP port 80 is assigned to HTTP/ Web traffic. If you don't have a web site served from your location you might want to investigate how many folks are trying to access via port 80. Does it associate at all with your users web browsing? And then maybe filter that too after you've looked at it trying to determine if it's just random scans. Be careful and listen for user feedback after blocking it though.
I don't have any servers that need NETBIOS access from the outside. Seems like they are randomly scanning my address range.... it's not limited to any particular inside IPs. I think blocking at the upstream router may do the trick by reducing the logs. Still, are there any thing I can do to trace the REAL source of the scan? Thanks for your earlier suggestion.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...