Community discussions

MikroTik App
 
Dufol
just joined
Topic Author
Posts: 10
Joined: Mon Jan 23, 2006 6:33 pm

Problem with flodaing IP-Fireweall-Connections

Mon Jan 23, 2006 6:54 pm

HI, I got a problem with floadin connections on my network with 60 pc's
in MT IP-Fireweall-Connections I can see 1000 or more connections like this
Src addres Dst Addres
192.168.1.64:135 192.168.1.59:2701 tcp
192.168.1.64:135 192.168.1.59:2917
192.168.1.64:135 192.168.1.59:2868
.....
192.168.1.57:4554 192.168.1.59:135
192.168.1.57:3535 192.168.1.59:135
.....
192.168.1.57:4304 192.168.1.62:135
192.168.1.57:3318 192.168.1.62:135
.....
192.168.1.58:4930 192.168.1.59:135
..... and etc
in the moment 400 connections will be close and open again
My pc with MT --Cpu Load is going like that 3-4% and sudenly 12-20%
when 200-300 connetions will be closed or open
I turn off this pc's with IP 192.168.1.57,59,62 but again same problem
what for is port:135
Why destination IP is pc on same network?
I scan this pc's but no treats I can find!!?

Thx
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Mon Jan 23, 2006 10:51 pm

Port 135 is MS RPC service.

Google search shows Nachi or MSBlast to be most likely culprits.

http://www.linklogger.com/TCP135.htm

I suggest that you block all outbound traffic from your network to dst-port 135 now while you get this sorted.

Regards

Andrew
 
Dufol
just joined
Topic Author
Posts: 10
Joined: Mon Jan 23, 2006 6:33 pm

Tue Jan 24, 2006 6:03 pm

Thx Andrew
I download
• Download the Malicious Software Removal Tool
from microsoft but it seems my pc's are clean
So I did a lot of reading about DCOM I disabled it
Also in MT, Firewall I put Filter Rule
Action--drop DstAddres 0.0.0.0/0:135-139
so I can see that now my MT is in beter shape

Thx for help
 
User avatar
andrewluck
Forum Veteran
Forum Veteran
Posts: 702
Joined: Fri May 28, 2004 9:05 pm
Location: Norfolk, UK

Wed Jan 25, 2006 8:41 pm

I wouldn't just rely on the MS tool. Some of the AV vendors offer online scanning (e.g. Trend). I would scan some of your PCs using those services.

Also, and this is very important, ensure that all MS patches have been applied to your PCs.

Port 445 is also abused in this manner so it's definately worth blocking that as well.

Regards

Andrew

Who is online

Users browsing this forum: foomy, Google [Bot], samasd, willianwrm and 184 guests