3 Replies Latest reply on Jul 23, 2013 5:02 PM by grinder

    Large Number Of Netprobes???

    grinder

      I always see a large number of Netprobes from numerous external IP's.  I get email alerts all day long.  Do others see this as well?  I have my attack response set for 50 Netprobes in 30 seconds.  Does this seem reasonable?  What would others reccomend for this?  I am just curious what everyone else sees on their firewall and how they handle it.  Thanks!

        • 1. Re: Large Number Of Netprobes???

          Hello,

           

          I would have to say that every device connected to the internet is going to get probed all day long from all locations around the globe, so what you are seeing is not out of the ordinary.

           

          The defaults for the attack responses may not be good for every environment, so feel free to tweak as necessary. At a certain point, if you get too many emails you are going to stop looking at them and therefore it kinda defeats the purpose of the email, so it sounds like you may want to adjust the threshold.

           

          If you notice that a few specific ip addresses are doing the probing, then you can try the blackhole option. Just keep in mind that you do have the potential to blackhole legitimate ip addresses, so you really have to pay attention to the configuration.

           

          Hope this helps,

           

          Matt

          • 2. Re: Large Number Of Netprobes???
            squidikus

            I too had this question however if you are hosting a website of some type and you know that port 80 or whatever port you have assigned will be opened. Then you should only expect traffic on those ports anything outside of that would  be considered a netprobe. I have tested my block and blackhole external netprobe for the last 2 weeks and have excluded a few ports that I know are just too common and basically end up sending me endless messages. However if you consider that someone may run a port scan and keep switching proxies, then you will get a lot of blackholed netprobe ip's. I have not had any complaints yet from customers but I figure that if you try to RDP or like I have seen bots, worms etc trying for port 22 or 23 or even sql ports then hey blackhole them why waste my cpu cycles . And trust me I have loadbalancing test cluster and within 5 mins of having it up netprobe out of CN and also Smtp blocks on High GTI.

             

            Welcome to the Intarweb. Everyone is trying to get you.

            1 of 1 people found this helpful
            • 3. Re: Large Number Of Netprobes???
              grinder

              Thanks for the info.