Strange security center "reverse" attacks?

Solved
Frank-NL
Getting noticed

Strange security center "reverse" attacks?

Hi,

 

Lately we have been seeing a lot of snort blocks of traffic which seems to be 'reversed'. With no specific NAT rules configured it seems that internet hosts are able to reach internal clients on specific ports. For example:

 

Source: 84.54.51.37:49716 Destination: 192.168.x.222:80 TP-Link Archer Router command injection attempt

 

How is this possible? Is the reporting wrong maybe?

 

 

Thanks,

Frank

1 Accepted Solution
Frank-NL
Getting noticed

Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.

 

 

Thanks

View solution in original post

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

Have you enabled early access: NAT Exceptions with Manual Inbound Firewall?

Frank-NL
Getting noticed

Nope

Frank-NL
Getting noticed

<>

Brash
Kind of a big deal
Kind of a big deal

Not a definitive answer, but if you don't have any DNAT rules configured, and manual inbound firewall is disabled, I'd be concerned that the device (192.168.x.222) may already be compromised.

Frank-NL
Getting noticed

Closing the topic, as this was a pure mistake in observation/perception as the client name and OS were wrongly classified. The client IP was actually configured in NAT rule for forwarding.

 

 

Thanks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels