TCP Xmas Tree Dropped Across Multiple Firewalls in Different Geographic Locations
First, I've been working with SonicWall TZs for a number of years now and I still lay no claim to being proficient with them. :) Second, I am fairly new to monitoring logs and security events so I don't have a full grasp of what to be concerned about and what not to be. I've heard things like "If it blocked it, don't worry about it," and on the flip side, I've also heard "if it alerted us, we have to investigate it!" So, I try to lay in the middle. That said..
This morning, I saw the following alert in 4 out of 5 of our firewalls. Keep in mind these firewalls are all located in different locations geographically (Oregon and Washington) and all of them are on different ISPs.
The packets all came in within a few minutes of each other, and they all originated from the same IP 18.104.22.168 which The Anti Hacker Alliance and WHOIS both resolve to Warsaw Poland. And a RIPE search show MEVSPACE as the responsible org and perhaps Skytech as the IP holder. They seem to have an aesthetic website, but it doesn't work real well. A little odd.
Any way, I was more curious than concerned but, is this something that is common? Or could it be some sort of state-sponsored blast? Has anyone else seen this this morning?
Looking forward to your input!