Have you ever not been home only to get home and your home was emptied of all its contents by thieves? Maybe you’ve never had the luxury of having had that experience but if you’re not blocking non-business partner countries that’s just might be what happens!
Here is a Firewall-Z log showing how attackers increment their source port probing your network looking for an opening. Port 1433 is an SQL server port (we’re talking database here).
Brazil:
BR Country
Apr 22 12:25:55 WAN SAmerica_v4
(1770002155) TCP-S 179.111.247.190:49472 <- Source Port
179-111-247-190.dsl.telesp.ne…
67.219.201.29:1433 <- Destination Port
BR Country
Apr 22 12:25:55 WAN SAmerica_v4
(1770002155) TCP-S 179.111.247.190:49471
179-111-247-190.dsl.telesp.ne…
67.219.201.28:1433
BR Country
Apr 22 12:25:55 WAN SAmerica_v4
(1770002155) TCP-S 179.111.247.190:49470
179-111-247-190.dsl.telesp.ne…
67.219.201.27:1433
BR Country
Apr 22 12:25:55 WAN SAmerica_v4
(1770002155) TCP-S 179.111.247.190:49469
179-111-247-190.dsl.telesp.ne…
67.219.201.26:1433
BR Country
Apr 22 12:25:55 WAN SAmerica_v4
(1770002155) TCP-S 179.111.247.190:49468
Notice how they’re incrementing the port number from 49468 > > >49472. They’re looking to see if a lazy admin obfuscated the inbound port number which is then translated or “NAT’d” (Network Address Translation) to the actual SQL port of 1433. That’s dangerous if you do that! It’s called “Security by Obscurity” which can be good but eventually someone will see your camouflage and shoot you down!
I didn’t check but I’m certain they tried all 65 thousands TCP ports but because our FireWall is set to block Brazil by default – they aren’t getting in! Moreover, we NEVER recommend although we’ve seen it done; obscuring and translating ports. We do run well known services on alternate ports which is a good practice like SSH but we’d NEVER recommend direct access to a database exposed in any way directly to the outside.
Here’s another example, from Russia with love! What this Russian IP is attempting to do is come at an incremental set of destination IP’s so for example, lets attack 67.219.201.14, 19, 26, 27 30, 31…and so forth slowly (or quickly) working their way up the IP address list. Oddly enough I looked at what UDP port 123 was and it turns out it’s NTP – Network Time Protocol. It looks like the Russians were looking for NTP servers so they can attack them. Apparently there is some weakness they can exploit and then do interesting things with once they get in to compromise secure communications. Everything online relies on ACCURATE CLOCKS!
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.19:123 <- Destination IP and Port
RU Country
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.30:123
RU Country
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.14:123
RU Country
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.27:123
RU Country
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.26:123
RU Country
Apr 22 12:26:58 WAN Europe_v4
(1770002006) UDP 185.103.252.85:40793
unknown
67.219.201.31:123
With Firewall-Z you can do Country Blocking out of the box. No licensing, no restrictions, no problems. Once you lock out countries that are non-business partners the work isn’t over. You then need to further shape security so your own country can’t attack you too!