What's new

Asus AC3100 Port Block Issue

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

blackhat840

New Around Here
Hello everyone,

I am a long time lurker here and decided to sign up today as I'm having an issue that I can't seem to resolve. We are getting AUP Violation notices from our ISP from a local LDAP server that is being used for reflection attacks on other servers. Apparently our IP is spoofed, our server says the packet is good we received and sends a response back to the victim server.

We've been having this issue for 45 days or so and I've tried everything from blocking the port on the actual server to configuring Network Services Filter within our ASUS router to also block any traffic on port 389 TCP and UDP. However, the victim is stating that they can still connect to our server using a one-liner from within linux and that the port is indeed not blocked...

Any advice as to how I should set this up on our ASUS would be great.
 
You seem to know the IP address of the victim? So have you tried using Network Services Filter to block all traffic to that IP address rather than just port 389?
 
So try blocking that then.

I'm rather confused as to where this LDAP server is located. Is it on your LAN? Surely you don't have an LDAP server exposed to the internet :eek:?
 
Nope, port 389 has been blocked at network edge for 3+ years on both TCP and UDP. LDAP server is local to my LAN and Inter OfficeVPN for a few offsite offices. That is where the issue lies, every port scanner I've used shows them blocked. Wireshark is not showing any nefarious traffic either...
 
What are you using as a firewall? You're posting in the Asus forum but it doesn't sound like you're using one of their products.
 
To my knowledge, this business has been using the built-in windows firewall within their Windows Server 2008 R2 server as well as the firewall built into the ASUS Router. I get pulled in when issues like this arise, otherwise, I don't see this customer often as it just works.
 
So when you say "port 389 has been blocked at network edge" what device is that happening on? Is there a specific rule for port 389?
 
I'm back! So sorry about the delay ColinTaylor, it's blocked within the ASUS router under the Network Service Filter. This business does not have a physical firewall between the LDAP and router. The port has a rule on the 2012 R2 server to block any outside traffic from accessing port 389, the rule is setup to only allow local traffic within the lan. It's also blocked under network service filter on their Asus device, however per another AUP violation received this weekend, we are still getting these notices that our LDAP server is accessible outside of our network.
 
TBH I'm finding this hard to believe (the attack, not your description). Windows firewall should block everything that doesn't originate on the LAN. The router's firewall will block all unsolicited incoming traffic by default. And you're blocking outgoing traffic with Network Services Filter.

So unless the attack is coming from within your LAN or the "inter-office VPN" I would say it's impossible. Maybe somebody else on the internet is spoofing your IP address and it's nothing to do with you at all!

"However, the victim is stating that they can still connect to our server using a one-liner from within linux and that the port is indeed not blocked..." Ask them to provide screen shots of this that show the commands they're using as well as the destination IP address and ports. A traceroute from their system to yours would be useful. Maybe it's their system that has been compromised not yours.
 
TBH I'm finding this hard to believe (the attack, not your description). Windows firewall should block everything that doesn't originate on the LAN. The router's firewall will block all unsolicited incoming traffic by default. And you're blocking outgoing traffic with Network Services Filter.

So unless the attack is coming from within your LAN or the "inter-office VPN" I would say it's impossible. Maybe somebody else on the internet is spoofing your IP address and it's nothing to do with you at all!

"However, the victim is stating that they can still connect to our server using a one-liner from within linux and that the port is indeed not blocked..." Ask them to provide screen shots of this that show the commands they're using as well as the destination IP address and ports. A traceroute from their system to yours would be useful. Maybe it's their system that has been compromised not yours.
Can I PM you directly?
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top