Attack from My Public IP

Fandi Kurnia Lv1Posted 2023-Dec-22 01:27

Hi,

We have a problem with the NGAF attack from our internal IP Public, which means internal IP Public Outgoing detect our internal IP Private.
How to now about the mac address and who from internal VM Linux attack from another url?

Thanks

Newbie517762 has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Hi,

Analyze the firewall logs for the public IP to find the attack's source IP.
Also, check the "Web Application Protection_Best Practice" link.
This attack protection includes application hiding, password protection, privilege control, data leak prevention, HTTP request anomaly detection, and scanner blocking.
Is this answer helpful?
Farina Ahmed Lv5Posted 2023-Dec-30 17:53
  
To identify the MAC address associated with the internal IP Public and track the source of the NGAF attack originating from a VM on Linux, you can utilize various network monitoring tools like Wireshark or tcpdump to capture network traffic. Begin by filtering traffic based on the internal IP Public address to analyze the packets being transmitted. Look for patterns indicative of the attack and cross-reference them with the MAC address associated with that IP within your network's ARP (Address Resolution Protocol) cache or by using ARP scanning tools. Additionally, examining the logs of your Linux VMs, checking system logs or specific application logs might reveal suspicious activities or connections to external URLs, aiding in pinpointing the source of the attack.
jerome_itable Lv3Posted 2023-Dec-28 09:45
  
I can give you some ideas and advice on how to address the NGAF attack, incorporating insights from your information and best practices:

Understanding the Attack:

    NGAF Attack: A type of attack that targets Next-Generation Application Firewalls (NGAFs) to bypass security measures.
    Internal IP Public Outgoing: Your network's publicly routable IP address used for outgoing traffic.
    Internal IP Private: A non-routable IP address used within your internal network.
    Internal VM Linux: A Linux virtual machine running on your internal network.
    Attack from another URL: The attack originates from a different URL, suggesting a compromised internal system or a malicious actor within your network.

Steps to Identify the Attacker:

    Review NGAF Logs:
        Scrutinize NGAF logs for detailed information about the attack, including:
            Time and date of attack
            Source IP address (likely the internal VM Linux)
            Destination IP address or URL
            Attack type
            Any logged MAC addresses

    Check Network Device Logs:
        Examine logs from routers, switches, and firewalls for additional clues, such as:
            MAC address to IP address mappings
            Traffic patterns
            Any anomalies or suspicious activity

    Analyze VM Logs:
        Inspect logs within the suspected VM for signs of compromise or malicious activity, including:
            Unusual processes
            Unexpected network connections
            System modifications

    Utilize Network Monitoring Tools:
        Employ tools like Wireshark or tcpdump to capture and analyze network traffic in real-time.
        Filter traffic to isolate the VM's activity and identify the target URL.

    Correlate Information:
        Piece together information from various sources to pinpoint the attacker's MAC address and identity.
        Cross-reference MAC addresses with VM inventory and user assignments.

Additional Recommendations:

    Isolate the Compromised VM: Disconnect the suspected VM from the network to prevent further damage.
    Preserve Evidence: Secure logs and any relevant data for forensic analysis.
    Engage Security Experts: Consult with IT security professionals for comprehensive investigation and remediation.
    Implement Strong Security Measures:
        Regularly update NGAF and other security software.
        Enforce strict access controls and password policies.
        Monitor network activity for anomalies.
        Educate users on cybersecurity best practices.
mdamores Posted 2023-Dec-27 11:54
  
seems like you are experiencing Network Spoofing or Network Gateway Anti-Bypass attach from your internal network. Below are some of the steps to help you identify the MAC address and trace the source of the attack.

1. Check the logs on your firewall and look for any suspicious activities. Inspect as well the logs of the affected VMs for any unusual or unauthorized activities
2. Use network monitoring tools like wireshark to capture and analyze network traffic from there you may look for patterns that might indicate attack.
3. check the ARP tables on your network devices to show the mapping between IP addresses and MAC addresses. Try using the "arp" command on Linux to view ARP table
4. review firewall rules to see any rules that might allow unauthorized access.
5. Check alerts from your IDS, if you have any
6. isolate affected systems to avoid further damage
7. investigate your Lunux VMs and check all the running processes, network connectivity, and any unusual configurations
8. change login credentials
Adam Suhail Lv1Posted 2023-Dec-27 10:13
  
Probably Botnet , Suggested to analyze on the SOC section and try to pinpoint the attacker and create rule/ apply security to deny that specific attack
Enrico Vanzetto Lv4Posted 2023-Dec-27 01:12
  
hi, i investigate further on your environment in order to find out if you have some asset inventory software that might scan your assets (like Lansweeper for example). After that, i can create a dedicated waf rule to intercept this unwanted scan and to gather more details about the internal host that perform these scan.
ArsalanAli Lv3Posted 2023-Dec-26 17:38
  
You should configure the DDOS policy
also uncheck the PING from your WAN interface setting.
Imran Tahir Lv4Posted 2023-Dec-26 17:08
  
Add the attackerIP in black list
Fandi Kurnia Lv1Posted 2023-Dec-22 12:11
  
Time: 20231222 09:22:18 Device(gateway ID:0E7867F4) detects WAF alert, Src IP:120.29.x.x  Dst IP:192.168.112.55 Attack type: Website scan Severity: Medium URL/Directory: example id/cgi-bin/ Port: 80 Description: Website-based attack is detected. Type:Website scan


120.29.x.x

MY TOPOLOY
CORE ROUTER -> SANGFOR NGAF (BRIDGE MODE) -> SANGFOR IAM (BRIDGE MODE) -> OUR CORE SWITCH
Darjo Lv1Posted 2023-Dec-22 02:49
  
could you describe more, or mayber can provide the capture

I Can Help:

Change

Moderator on This Board

11
8
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
138
3

Started Topics

Followers

Follow

Board Leaders