David Watkins <watkinsh...@gmail.com> wrote: > Here's a very small sample: > > From 1.11.238.26 - 1 packet to udp(37970) > From 1.23.252.46 - 1 packet to udp(37970) > From 1.55.167.27 - 3 packets to tcp(8291,8728) > ...
> I have two questions: > 1. What's going on here and should I be worried? Not sure, but I wouldn't worry about it - and there's nothing you can do about it anyway ! Some of that is probably network scanning - people scanning the entire internet looking for open ports. But the traffic to a single port from many sources does look like some sort of attack. My guess is that port 37970 is used unofficially (it's not assigned) by something, and they are hoping to trigger an amplification attack where your <whatever uses that port> replies with a much bigger packet. https://en.wikipedia.org/wiki/Denial-of-service_attack#Amplification Ah, another search found a reference to it being used in VoIP, though dunno if that's just the user's setting or a common one for Freeswitch. So it could be a DDoS against that. I found from running the IP PBX at my last job that you don't need it to be online for long before you get brute force registration attempts against it - sometimes more than one at the same time. But the traffic profile would be different for a brute force account attack as it comes from a small number of addresses - brute forcing a VoIP account login isn't much use if the response doesn't come back to an address the attacker owns. On the other hand. it might be a rented botnet of compromised machines being used, in an attempt to get around things like fail-2-ban. I ended up blocking all traffic except for a whitelist of subnets we needed to connect from. > 2. Why is shorewall correctly blocking these packets but my BT Homehub is > not? The Homehub firewall is enabled and set to drop all unsolicited > incoming traffic. Have you configured it to send all incoming traffic to your internal firewall (DMZ host) ? If so, then that might bypass it's own firewall. Simon _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
