TCP Xmas tree dropped, TCP Null flag dropped - recommendations
anxion
Newbie ✭
Hi Guys,
Reviewing sonicwall logs and I noticed and found that I have since last week, TCP Xmas tree dropped, TCP Null flag dropped. in all cases its coming from almost same IP, from China.
I know that firewall dropped it, however wanted to see if there is anything else I should look into regarding this before moving on?
I have GEO setup to block China, however still getting this scans. it seems that GEO not blocking China IPs?
thanks
Category: Firewall Security Services
1
Answers
I see this too. I am also interested
Since the firewall is blocking the attack, there should be nothing to worry about.
Still, your GEO-IP filter should drop the incoming connection even before the attack is happening.
Please make sure you configured your GEO-IP filter correctly:
Hi Micheal,
ok, so even GEO enable and blocked country, I still can get logs that someone runs scans against my public IP?
thanks for clarification. What if I enable GEO-IP Filter and we are need to access some vendor homepages in this GEO-IP region?
ok just blocked the country we saw the tcp xmas tree attacks from and we blocked it in activated geo-ip and just in case rebootet the sonicwall. but the other day we see these attacks again from the same country in the attack report. I would have expected to see them in the geo report as blocked IPs.
In that case, it is the best you open a support ticket, so our team can investigate on this behaviour.
Same here (Netherlands). Lots of Xmas tree attacks coming from Chinese telco's. And China is on the list of blocked Geo-IP countries. TZ470W, SonicOS 7.0.1-5050.
We are seeing a lot of Xmas Tree packets coming out of China as well. When I see them come from the same IP frequently, I add them to an address object group and set a rule to drop them. Geo-Filtering causes us issues with Office 365 so we have not used it much. Doing it this way is going to create a mess in the address objects.
Here are some of the IPs that it has been consistent from.
Would it be better to create a URI List Object and drop the connections with Content Filtering?
James
I just checked and seems same IPs scanning our network
could you elaborate GEO and office 365 issue ?
Also, "I add them to an address object group and set a rule to drop them" what exact rule you have? please
thanks
When we turned on GEO blocking, we basically set it to the whole world except for a few countries in the Americas and Europe. With these locations blocked, we started losing access to email and other Office 365 services. I assumed it was because these services have servers hosted all over the globe. When we turned the GEO filter off, the services returned to normal. I suppose we could fine-tune it but we don't really have the resources for that.
As far as the rule we use, I'm very glad you asked me, because I had it set up wrong and it was not doing anything.
We have an custom Access Rule (WAN to Any) that quietly discards the packets from any of the IPs in that address object group.
I venture to say it is overkill, because the firewall already recognizes and discards those Xmas tree packets without the rule. I feel it may just be for peace of mind.