Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Exclamation Internal devices flooding to make external connections

    Hello
    Malware in many devices on internal network are trying to make 1000s of connections every second to external IPs.
    most of them are trying to make connection on port 445, and so i did block sessions if destination port is 445.

    Which stop those malwares to flood my Internet line from internal.
    But how can i automatically stop them via IPS?

    I want to auto block if any such threat or malwares from internal network trying to make lots sessions.
    how do i do that? pls help.

    Thanks

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,396

    Default

    You need to disconnect the infected devices. Sure, you can tune IPS and other modules to block the egress traffic, but before you know it your gigabit internal will be DOS'd off the LAN and down your network will go.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    agree that i have to disconnect infected devices.
    But sometimes we come to know very late. Reason is it does not flood the bandwidth.
    Those all together hardly takes 2-5mbps.

    Issue is: Untangle stops working due to 1000s of sessions per second.
    they says such high number of sessions, Untangle would not be able to handle and so clients get bypassed and can browse any websites.

    So we do not get any alert when untangle is being flooded with lots of sessions.

    And so i was thinking to go with IPS or any other suggested module to block those local internal IP who are sending too much sessions.

  4. #4
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,135

    Default

    I would think, though I don't know this for a fact, that if Shield is being overwhelmed by the number of sessions being created, then the apps (such as IPS) probably will suffer worse. My understanding is that Shield is the best line of defense in cases like this.
    jcoffin likes this.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Did you create a support case? (124428) We looked at this case.
    If so - did you get their response? If not, I would call back in and have them explain it to you.

    In summary, the "shield" is the tool you want to do this. The issue is that you disabled the shield by adding rules to exempt the hosts on your network so the shield does not scan their traffic. Just remove those rules.
    You could, in theory, craft an IPS rule to perhaps achieve the same functionality, but it would be a bit odd to craft a rule to reimplement the behavior you just disabled in the shield. I don't think IPS will be a better tool for this case regardless.

    If you really want to be viligent, I would enable logging of blocked sessions so you can see the shield blocks. This will be a lot of logging on your network, but should be fine. Then create trigger rules to tag devices with obscene number of shield blocks as "infected"
    Then I would just create a filter rule to block sessions tagged with "infected" - this will effectively block all those hosts from getting to the internet until they cleanup up their act and you manually remove their tags.

    edit: If that isn't your case, just disregard what I said
    Last edited by dmorris; 06-27-2018 at 09:56 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    no that was not support case number.
    "The issue is that you disabled the shield by adding rules to exempt the hosts on your network so the shield does not scan their traffic. "
    i have not exempted any host other then 1. And that one hosts which has been exempted is safe and not sending anything malicious.

    i was looking at shield, what condition should i select there and action has only two options (Scan and Pass)

  7. #7
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Oh wow. Do you know what malware it is? That would be several cases we've now seen of flooding port 445.

    The shield should be enabled and there should be no rules at all.
    If you added a rule for one host, just make sure its literally that one host and not the whole subnet or something on accident. It is pretty rare that you need to add an exception for a non-malicious host.

    Do you have a support ticket number?
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    i am not sure about name of the malware, but yes those are on port 445

    Shield is enabled, and there is no rule under that. have not bypassed any host under "shield"
    Bypass which i said was under webfilter rule only. NOTHING under shield. No Rules.

    ticket number: 124922

  9. #9
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Thanks - it looks like they're working on it, but i will also take a peek in a bit.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  10. #10
    Untangler
    Join Date
    Jan 2016
    Posts
    60

    Default

    just got reply on ticket saying it is not possible to automatically block those internal IPs which are creating too much sessions

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2