This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dealing with Threat Alerts?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dealing with Threat Alerts?

Go to solution
OMatlock
L4 Transporter

‎10-23-2017 06:50 AM

Hi Folks,

 

We have Critical Threat Alerts emailed to us and usually its every couple of days we get a few alerts, mostly Apache Struts Jakarta.  But over the last 4-5 days there has been a significant increase in threat alerts.  60-100 emails per day, same IP address in groups of ~10.  We are using default vulnerability protection profile and default action (reset-both). 

 

Since the increase in alerts, our management gets concerned asking if there is a problem.  I talked to support and assured me that firewall is doing its job, its just an increase in attack attempts, and is common.

 

I've considered creating a new security rule at the top to keep a running list of source IP address with a deny action, but that sounds like a lot of manual administration.

 

I'm curious if anyone in the community has comments about receiving alerts or how they handle an increase in attacks?

Is it common, just deal with it?  Do folks filter out certain threat emails or stop critical threat email alerts all together?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎10-23-2017 01:27 PM

Hello,

What we did was set the policies to block for the max time of 3600 seconds. That way the attacker takes a lot longer to figure out they are denied.

 

The other thing you could try is to set the policy to reset client. Since the attack is coming from the external "server", only your servers connection gets reset and theirs has to time out. Basically forcing their connection to stay open and bleeing their resources and not yours.

 

I would also love to hear others thoughts on this.

 

Regards,

View solution in original post

0 Likes Likes
11 REPLIES 11

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎10-23-2017 01:27 PM

Hello,

What we did was set the policies to block for the max time of 3600 seconds. That way the attacker takes a lot longer to figure out they are denied.

 

The other thing you could try is to set the policy to reset client. Since the attack is coming from the external "server", only your servers connection gets reset and theirs has to time out. Basically forcing their connection to stay open and bleeing their resources and not yours.

 

I would also love to hear others thoughts on this.

 

Regards,

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎10-23-2017 02:00 PM

@OMatlock,

You really should have an automated response setup that can read these events and block the source IPs at a set threshold. While @OtakarKlier's solution is a good first step, it isn't really recommend to just live with the IPs attacking your network. Setup an automated response that puts these indicated addresses into a deny rule and just block them all together. MineMeld can help with this, otherwise their are plenty of other possible solutions. 

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to BPry

‎10-24-2017 11:39 AM

Thank you guys for the feedback.

 

 @Otakar.Klier

 

We are currently using default vulnerability profile.

vulnerability1.jpg

 

When you say block action, do you mean Block IP like this?  Does that reduce the alert emails?

 

vulnerability2.jpg

 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to OMatlock

‎10-24-2017 12:26 PM

@OMatlock,

The setting you have displayed would block the IP that triggered that critical threat alert for 3600 seconds. That will stop you from recieving another alert for that time period, but if you have IPs continually launching attacks against your network you would still recieive alerts when that window has passed. 

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to BPry

‎10-24-2017 12:37 PM - edited ‎10-24-2017 12:37 PM

BPry

 

Thank you again (I am still learning).  The alerts and traffic log indicates that the attacks occur within a couple of minutes and then a different IP (group) comes.  Would blocking the IP for this duration (1 hour) at least give some relief, assuming the attacks stay like they currently are (within minutes and then stops)?

 

I agree, ideally need to come up with an automatically updated IP deny rule.

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to OMatlock

‎10-24-2017 01:24 PM

It would certaintly help. Keep in mind that IP Spoofing is a thing though, and what you are describing is typical of someone employing a botnet. 

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to BPry

‎10-24-2017 01:32 PM

BPry

 

Thank you so much for your responses, as I continue to learn new everyday.  🙂

 

Just to confirm.  For this example, since these two IP threats came in consecutively and then stops, I should only receive two alerts (1 for each IP) instead of a whole bunch of them by employing this new Block IP setting?  (For at least the hour)

 

That's the idea right?  Making more sense to me.

 

firewallthreats.jpg

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to OMatlock

‎10-25-2017 06:24 AM

@OMatlock,

Correct. 

Go to solution
Tician
L3 Networker
In response to OMatlock

‎11-01-2017 03:24 AM

Hi,

 

I'm not sure is this quite correct if you live this host type to server? If you filter your traffic logs for attacker address, you will see that it is client side of connection. So any attacker which initiate connection to your exposed resource (ex. web server...), is considered as client and stateful firewall marked it as client side of session. 

When replicate that on this policy setting it should be client host type, isn't it? 

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to Tician

‎11-01-2017 05:43 AM

@Tician

Out of curiosity why would you want to close the client side by a reset? If you force the potential attacker to leave its connection open, but you close the servers connection, then you save resources on your end but cause the attacker to increase their resources. 

0 Likes Likes

Go to solution
Tician
L3 Networker
In response to BPry

‎11-01-2017 06:06 AM

@BPry

 

yes you're completely right, it is good to reset server connections in this case, so what should be scenario where you suggest to use reset client  connections instead?

0 Likes Likes
  • 1 accepted solution
  • 5172 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks