This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Brand new Checkpoint firewall. Super powered for the size of my organization. Quite an education. A few days ago I started seeing outbound traffic to a few IP's in China being Blocked by my egress rules (good times)The traffic is reverse lookup DNS queries (UDP 53) They happen about 15 times an hour or more. I'm having a very tough time tracking where it's coming from. When I capture DNS,the queries come from mostly the inside interface of the firewall itself. Not always, but mostly. there is no other suspicious traffic. My egress rules are pretty tight and nothing else is trying to get to China. IP spoof? I've fully scanned for malware throughout my office. Solid antivirus/malware is resident on every internal machine.

Thoughts?

asked 02 Sep '11, 04:35

cholmes's gravatar image

cholmes
1111
accept rate: 0%

I've seen similar behaviour on other vendor's appliances. It should help to consider the following things and test (if you can manage to do so for productive reasons):

  • Isolate the fw and see if it's still sending s.th. out to foreign IPs
  • if not possible to isolate sniff traffic on both inside and outside interfaces and really compare icmp, dns and related packets to find the trigger
  • IP Spoof with inside (RFC 1918?) address would not be useful for WAN connections, double check that

if detailed questions or comments arise please provide an email address

good luck

(05 Sep '11, 01:29) Landi
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109
×27

question asked: 02 Sep '11, 04:35

question was seen: 3,087 times

last updated: 05 Sep '11, 01:29

p​o​w​e​r​e​d by O​S​Q​A