This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Outbound traffic to China

0

Brand new Checkpoint firewall. Super powered for the size of my organization. Quite an education. A few days ago I started seeing outbound traffic to a few IP's in China being Blocked by my egress rules (good times)The traffic is reverse lookup DNS queries (UDP 53) They happen about 15 times an hour or more. I'm having a very tough time tracking where it's coming from. When I capture DNS,the queries come from mostly the inside interface of the firewall itself. Not always, but mostly. there is no other suspicious traffic. My egress rules are pretty tight and nothing else is trying to get to China. IP spoof? I've fully scanned for malware throughout my office. Solid antivirus/malware is resident on every internal machine.

Thoughts?

asked 02 Sep '11, 04:35

cholmes's gravatar image

cholmes
1111
accept rate: 0%

I've seen similar behaviour on other vendor's appliances. It should help to consider the following things and test (if you can manage to do so for productive reasons):

  • Isolate the fw and see if it's still sending s.th. out to foreign IPs
  • if not possible to isolate sniff traffic on both inside and outside interfaces and really compare icmp, dns and related packets to find the trigger
  • IP Spoof with inside (RFC 1918?) address would not be useful for WAN connections, double check that

if detailed questions or comments arise please provide an email address

good luck

(05 Sep '11, 01:29) Landi