3 Replies Latest reply on Jun 15, 2015 2:05 PM by levi

    Dos Attack?  Adtran 3448 getting these log, does this means we are being attacked?

    touristsis Visitor

       

      Hi,

       

      Can you help me with this log?  Customer is reporting lots of disconnection issue on the internet.  Any one know how we can prevent these?

       

      I'm seeing these errors..

       

      Does this means they are getting hacked by this ip address 91.200.12.21?

       

      t FAILED on portal SSH 0 (91.200.12.21:9981) 

       

      1. 2015.06.08 21:26:21 FIREWALL id=firewall time="2015-06-08 21:26:21" fw=NITROBEECAVES pri=6 rule=13 proto=https src=XX.XX.XX.XX dst=xx.xx.xx.xx msg="Service access request successful Src 52753 Dst 443 from PUBLIC policy-class on interface eth 0/1" agent=AdFirewall 
      2. 2015.06.08 21:26:24 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:28146) 
      3. 2015.06.08 21:26:24 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:53088) 
      4. 2015.06.08 21:26:24 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:45650) 
      5. 2015.06.08 21:26:27 T1.t1 1/1 LIU eq bumped 
      6. 2015.06.08 21:26:31 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:31583) 
      7. 2015.06.08 21:26:33 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:53759) 
      8. 2015.06.08 21:26:34 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:49753) 
      9. 2015.06.08 21:26:34 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:57724) 
      10. 2015.06.08 21:26:34 T1.t1 1/1 LIU eq bumped 
      11. 2015.06.08 21:26:37 OPERATING_SYSTEM.SESSION User authentication attempt FAILED on portal SSH 0 (91.200.12.21:16698) 

                           

        • Re: Dos Attack?  Adtran 3448 getting these log, does this means we are being attacked?
          marcus Employee

          I've been noticing an increasing number of attacks of the type you are seeing here.   It seems to be a DDoS attack but it has to be treated as a possible attempt to access the unit as well.  It's best to block them with an access group since this takes pressure off the CPU.  Check out our Guide to Using Access-Groups for the details.  This has to be done by command line, it can't be set up in the GUI.

           

          The access-list you use to block the traffic should look like this:

           

          ip access-list ex BLOCK

          permit tcp host 76.164.174.115 any eq 22

          deny tcp any any eq 22

          permit ip any any

           

          This blocks ssh traffic from all ip addresses except the Adtran ip address but allows all other traffic to flow normally.  If you normally access the unit by SSH from the internet, you can allow other ip addresses in as well but we want to be as specific as possible so we can stop the rogue traffic.  Once the access-list is set put 'ip access-group BLOCK in' on your WAN interface.  At that point all ssh traffic not explicitly allowed will be blocked.

           

          We also have a Security Best Practices Guide that is worth checking out.

            • Re: Dos Attack?  Adtran 3448 getting these log, does this means we are being attacked?
              mick Visitor

              I also get the odd attempt, this one from Russia:

               

              015.06.11 19:57:24 FIREWALL id=firewall time="2015-06-11 19:57:24" fw=NV-Office pri=6 proto=22/tcp src=62.76.42.59 dst=XXX.XX.X.XXX msg="No Access Policy matched, dropping packet Src 11532 Dst 22 from Public policy-class on interface ppp 1" agent=AdFirewall

               

              Thankfully I don't have an ssh port open to the Internet.  It's time the Netvanta firware is updated to include elliptic curves and RSA keys, instead of DSS currently on offer, which has a  1024bit key size as a default.

              --

              Regards,

              Mick

            • Re: Dos Attack?  Adtran 3448 getting these log, does this means we are being attacked?
              levi Employee

              mick:

               

              I went ahead and flagged "Assumed Answered" on this post to make it more visible and help other members of the community find solutions more easily. If you feel like there is a better answer, feel free to come back to this post and select it with the applicable buttons.  If you have any additional information on this that others may benefit from, please come back to this post to provide an update.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

               

              Levi