TCP Xmas Tree Dropped Across Multiple Firewalls in Different Geographic Locations
Bo_Hic
Newbie ✭
Hi all,
First, I've been working with SonicWall TZs for a number of years now and I still lay no claim to being proficient with them. :) Second, I am fairly new to monitoring logs and security events so I don't have a full grasp of what to be concerned about and what not to be. I've heard things like "If it blocked it, don't worry about it," and on the flip side, I've also heard "if it alerted us, we have to investigate it!" So, I try to lay in the middle. That said..
This morning, I saw the following alert in 4 out of 5 of our firewalls. Keep in mind these firewalls are all located in different locations geographically (Oregon and Washington) and all of them are on different ISPs.
The packets all came in within a few minutes of each other, and they all originated from the same IP 95.214.55.244 which The Anti Hacker Alliance and WHOIS both resolve to Warsaw Poland. And a RIPE search show MEVSPACE as the responsible org and perhaps Skytech as the IP holder. They seem to have an aesthetic website, but it doesn't work real well. A little odd.
Any way, I was more curious than concerned but, is this something that is common? Or could it be some sort of state-sponsored blast? Has anyone else seen this this morning?
Looking forward to your input!
Bo
Answers
Did you read up about this 'attack'?
Most likely nothing serious, and possibly routine 'reconnaissance' of an automated type (think Shodan or webcrawlers). A few of these packets are not unusual to see every other year or so in my opinion / from experience.
Thanks for the reading, and yeah, we see the Xmas packets frequently, but I had never seen (noticed) it happen where multiple firewalls all received them around the same time and geographically and ISP independent. AND from the same IP.
Was also curious if anyone else got them today.
@Bo_Hic I guess it's a "regular" crawler, I have this in the logs on Jul 5th, 10th and 17th.
95.214.53.99 and 95.214.55.244.
--Michael@BWC
Seems like this IP was reported quite a few times as an abuser so I believe it's being used to scan networks through different tools including XMAS attacks. https://www.abuseipdb.com/check/95.214.55.244
Any time an IP like that is noticed, you can report it to our CaptureLabs: https://capturelabs.sonicwall.com/m/feature/ip-reputation-lookup/
I have reported it for further review now however the IP is already listed as "Spam" in our systems.
Thank you! I'll add those links to my toolbox. :)