SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

  • 1.  Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 01-29-2019 07:57

    Saw some interesting denied traffic in the logs on multiple SRX firewalls and didn't have an explanation.

    We see denied traffic sourced from random public ip's on the web destined to IP addresses that we do not own not in our public subnet or affilitated with our firewall (interfaces, NAT, etc)

    Any thoughts?



  • 2.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-04-2019 11:50

    Hi 

     

    I could only think that maybe your ISP has some misconfigured routes with a next-hop of your public IP address. The packets are delivered to your SRX and then it drops them. Is the issue still happening?

     

    What SRX models and junos versions we are talking about? The other possibility will be a software bug.

     



  • 3.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 06:37

      

     

    This was my assumption as well. Yes it is still happening. So far we have seen it on an SRX1500 Cluster running 18.1R2.5 and 2 SRX340's (18.3R1.9 and 17.4R1.16)

     

    This is occuring with 3 different circuit providers.



  • 4.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 07:03

     

     

     

     



  • 5.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

     
    Posted 02-04-2019 20:17

    Hi,

     

    I have seen this in the past and have come to believe that this is quite normal in the Public internet. Especially a lot of attempts to establish SSH or other connections to your IP ranges.

     

    Who controls the routing towards your SRX? Are you having an eBGP peering to advertise your public subnet? Or is it the ISP who has a route defined at their end?

     

    Regards,

     

    Vikas

     

     



  • 6.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 06:40

    Thanks for the reply Vikas

     

    I understand that there will be attempts from the Public internet to my SRX device address, but I should not see attempts from the Public Internet to other public internet addresses that are not even in the subnet range we own.

     

    There is a provider router on prem that is the next hop of the SRX. The ISP is controlling the routing.



  • 7.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 06:45

    dwolcot1,

    Thanks for the confirmation.

    If that's the case then the only way you could receive a packet not destined to your public addresses will be if the ISP has incorrect routes pointing your to your public address as the next-hop. Reach out to them and confirm this situation.

     

    Please mark as Resolved if applicable.

     



  • 8.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-04-2019 22:20

    Hello,

     


    @dwolcot1 wrote:

     

    We see denied traffic sourced from random public ip's on the web destined to IP addresses that we do not own not in our public subnet or affilitated with our firewall (interfaces, NAT, etc)

     


    Are You sure about the direction of this traffic? Is it coming TO You, and NOT from You?

    if this traffic is really coming _FROM_ Your internal LAN _to_ the internet, that's a well-known symptom of infected/botnet device on Your internal LAN.

    Usually ISPs drop such traffic on their edge routers using uRPF but the BW on CE-PE link is consumed anyway.

    If that's not the case - traffic is indeed coming TO You from ISP router, then it usually is a sign of unknown unicast flood in ISP switched infrastructure. Basically, more often than not there is a L2 switch between You and ISP router You may not know about,  acting as port extender for the simple reason that switch port cost is way lower than router' port cost.

    Hence, if there are other customers of the same ISP on the same VLAN as Yourself and if the ISP router' ARP timeout is longer than switch MAC timeout (which is typically the case with default timeouts), then this L2 switch will flood the packets destined to other customer(s) whose MAC addresses timed out, to all ports in that shared VLAN.

    HTH

    Thx

    Alex

     



  • 9.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 06:46

    Thanks Alex 

     

    I am positive on the flow of the traffic. This traffic is sourced from the public internet and is destined to an address on the public internet that is not in our subnet. This traffic is hitting our SRX and is of course being denied. It was unusual because it is noticed on more than a 1 site, different circuit providers, and varying SRX's and Junos versions.



  • 10.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 06:51

    Alex

     

    Just a thought.... 

    Wouldn't you presume on the ISPs end that each customer would be segmented in different VLANs/VRFs?



  • 11.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned
    Best Answer

    Posted 02-05-2019 08:02

    Hello,

     


    @dwolcot1 wrote:

    Alex

     

    Just a thought.... 

    Wouldn't you presume on the ISPs end that each customer would be segmented in different VLANs/VRFs?


    It is best practice, yes, but it does not mean it is thoroughly implemented everywhere.

    Throwing in a cheap L2 unmanaged switch with single default port-based VLAN 1  + assigning secondary IP subnet per customer to the same single L3 interface on an ISP router will get oneself' "cheap as chips DIA" service going in no time, without need for meticulous planning of VRFs and VLANs. Customers won't be able directly connect to each other because they are on different subnets so some isolation is there.

    Also check the dst MAC of those packets - if they are all different/over the place, and Your FW is in L2 mode, then this is unicast flooding. If dst MAC is the same as Your SRX/router MAC then it is misrouting on behalf of ISP. Likely because ISP admin mistyped the nexthop for some statics and it now resolves over Your prefixes.

    HTH

    Thx

    Alex

     



  • 12.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 08:17

    Thats a very good point, if the packets are destined to a MAC address different than your external interface's MAC address then it is unicast flooding but if the destination MAC address of the frames are destined to your external interface's MAC address then the attached device sent it to the SRX because it is configured to do so.

     

     



  • 13.  RE: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

    Posted 02-05-2019 08:25

    Thanks for your input Alex

    I will check the destination MAC addresses.