Question : Sonicwall TZ170 TCP, ICMP, and UDP packet from LAN / WAN Drop

Yesterday, I started to receive multiple UDP packet drops. Spoke with Sonicwall support who had me upgrade the firmware to 3.1.0.15 Standard OS. Then things got more interesting. I started to see more packet drops with ICMP, TCP, and UDP. This happened all of the sudden after Sonicwall rebooted itself. Please look at the partial log below and let me know what could be the problem. 192.168.5.2 is Windows 2003 server running DNS, RRAS, and file server. I can't see anything wrong with server nor are any users having problems at this time. This is not a critical situtation but more towards knowing what is going wrong here.  




Problem: What can I do to fix this issue?

Cause: Yesterday Sonicwall TZ170 rebooted itself without cause (on battery backup - no power outage occured).


Sample LOG

02/16/2006 06:31:21.016 -       IPS Prevention Alert: POLICY SMTP Relay Denied, SID: 521, Priority: Low -       192.168.5.3, 25, LAN -  59.104.100.207, 4711, WAN -    
02/16/2006 06:31:58.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3348, LAN -        UDP Port:  3348
02/16/2006 06:32:14.448 -       ICMP packet dropped -   63.65.16.205, 3, WAN, 870.ATM1/0.GW2.CHI1.alter.net -   63.87.53.146, 1, WAN -  ICMP Type:   3, Code:   1
02/16/2006 06:33:06.368 -       ICMP packet dropped -   63.65.16.205, 3, WAN, 870.ATM1/0.GW2.CHI1.alter.net -   63.87.53.146, 1, WAN -  ICMP Type:   3, Code:   1
02/16/2006 06:33:10.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3357, LAN -        UDP Port:  3357
02/16/2006 06:33:12.048 -       Web management request allowed -        192.168.5.34, 1191, LAN -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:33:27.592 -       Administrator login allowed -   192.168.5.34, 0, LAN (admin) -  192.168.5.1, 80, LAN -  admin, TCP Web (HTTP)
02/16/2006 06:34:28.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3423, LAN -        UDP Port:  3423
02/16/2006 06:34:29.816 -       Web management request allowed -        192.168.5.34, 1292, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:35:36.576 -       Web management request allowed -        192.168.5.34, 1344, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:35:43.288 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3439, LAN -        UDP Port:  3439
02/16/2006 06:36:41.176 -       TCP connection dropped -        83.37.129.100, 16397, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:37:09.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3448, LAN -        UDP Port:  3448
02/16/2006 06:37:16.256 -       Web management request allowed -        192.168.5.34, 1375, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:38:14.032 -       TCP connection dropped -        83.37.129.100, 16732, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:38:14.048 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3460, LAN -        UDP Port:  3460
02/16/2006 06:38:26.672 -       Web management request allowed -        192.168.5.34, 1436, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:39:07.256 -       Administrator logged out -      192.168.5.34, 0, LAN (admin) -  192.168.5.1, 80, LAN -  admin, TCP Web (HTTP)
02/16/2006 06:39:39.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3466, LAN -        UDP Port:  3466
02/16/2006 06:40:57.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3473, LAN -        UDP Port:  3473
02/16/2006 06:42:09.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3488, LAN -        UDP Port:  3488
02/16/2006 06:44:08.704 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3494, LAN -        UDP Port:  3494
02/16/2006 06:45:11.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3501, LAN -        UDP Port:  3501
02/16/2006 06:46:15.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3513, LAN -        UDP Port:  3513
02/16/2006 06:47:55.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3516, LAN -        UDP Port:  3516
02/16/2006 06:49:27.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3522, LAN -        UDP Port:  3522
02/16/2006 06:49:36.688 -       TCP connection dropped -        83.37.129.100, 19491, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:50:35.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3538, LAN -        UDP Port:  3538
02/16/2006 06:51:47.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3544, LAN -        UDP Port:  3544
02/16/2006 06:52:53.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3559, LAN -        UDP Port:  3559
02/16/2006 06:53:56.832 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3571, LAN -        UDP Port:  3571
02/16/2006 06:54:58.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3590, LAN -        UDP Port:  3590
02/16/2006 06:56:00.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3605, LAN -        UDP Port:  3605
02/16/2006 06:57:16.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3617, LAN -        UDP Port:  3617
02/16/2006 06:57:57.192 -       TCP connection dropped -        63.160.97.169, 1646, WAN -      63.87.53.146, 445, WAN -        TCP Port:   445
02/16/2006 06:58:22.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3629, LAN -        UDP Port:  3629
02/16/2006 06:59:24.016 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3641, LAN -        UDP Port:  3641
02/16/2006 07:00:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3654, LAN -        UDP Port:  3654
02/16/2006 07:01:46.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3666, LAN -        UDP Port:  3666
02/16/2006 07:02:46.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3672, LAN -        UDP Port:  3672
02/16/2006 07:03:48.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3687, LAN -        UDP Port:  3687
02/16/2006 07:04:50.224 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3701, LAN -        UDP Port:  3701
02/16/2006 07:06:02.400 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3715, LAN -        UDP Port:  3715
02/16/2006 07:07:10.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3721, LAN -        UDP Port:  3721
02/16/2006 07:08:12.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3727, LAN -        UDP Port:  3727
02/16/2006 07:09:50.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3733, LAN -        UDP Port:  3733
02/16/2006 07:11:02.208 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3740, LAN -        UDP Port:  3740
02/16/2006 07:12:10.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3749, LAN -        UDP Port:  3749
02/16/2006 07:13:12.208 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3761, LAN -        UDP Port:  3761
02/16/2006 07:14:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3767, LAN -        UDP Port:  3767
02/16/2006 07:15:52.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3771, LAN -        UDP Port:  3771
02/16/2006 07:17:00.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3783, LAN -        UDP Port:  3783
02/16/2006 07:18:05.080 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3795, LAN -        UDP Port:  3795
02/16/2006 07:19:14.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3804, LAN -        UDP Port:  3804
02/16/2006 07:20:22.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3814, LAN -        UDP Port:  3814
02/16/2006 07:21:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3829, LAN -        UDP Port:  3829
02/16/2006 07:22:48.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3835, LAN -        UDP Port:  3835
02/16/2006 07:22:56.688 -       TCP connection dropped -        203.139.217.204, 3521, WAN -    63.87.53.146, 139, WAN -        TCP Port:   139
02/16/2006 07:23:56.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3844, LAN -        UDP Port:  3844
02/16/2006 07:25:32.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3857, LAN -        UDP Port:  3857
02/16/2006 07:26:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3872, LAN -        UDP Port:  3872
02/16/2006 07:27:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3875, LAN -        UDP Port:  3875
02/16/2006 07:29:04.224 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3884, LAN -        UDP Port:  3884
02/16/2006 07:30:12.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3897, LAN -        UDP Port:  3897
02/16/2006 07:31:32.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3909, LAN -        UDP Port:  3909
02/16/2006 07:32:38.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3921, LAN -        UDP Port:  3921
02/16/2006 07:33:11.768 -       TCP connection dropped -        83.37.129.100, 10125, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:33:51.512 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3933, LAN -        UDP Port:  3933
02/16/2006 07:34:52.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3948, LAN -        UDP Port:  3948
02/16/2006 07:36:06.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3955, LAN -        UDP Port:  3955
02/16/2006 07:37:58.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3958, LAN -        UDP Port:  3958
02/16/2006 07:39:00.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3964, LAN -        UDP Port:  3964
02/16/2006 07:39:00.416 -       TCP connection dropped -        80.28.31.182, 52731, WAN, 80-28-31-182.adsl.nuria.telefonica-data.net -         192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:40:10.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3974, LAN -        UDP Port:  3974
02/16/2006 07:41:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3983, LAN -        UDP Port:  3983
02/16/2006 07:42:52.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3992, LAN -        UDP Port:  3992
02/16/2006 07:43:42.176 -       TCP connection dropped -        81.224.165.178, 61795, WAN -    192.168.5.5, 139, LAN -         TCP Port:   139
02/16/2006 07:44:40.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4004, LAN -        UDP Port:  4004
02/16/2006 07:44:47.288 -       TCP connection dropped -        83.37.129.100, 12679, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:46:06.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4011, LAN -        UDP Port:  4011
02/16/2006 07:47:14.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4020, LAN -        UDP Port:  4020
02/16/2006 07:49:26.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4029, LAN -        UDP Port:  4029
02/16/2006 07:50:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4036, LAN -        UDP Port:  4036
02/16/2006 07:51:56.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4045, LAN -        UDP Port:  4045
02/16/2006 07:53:02.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4054, LAN -        UDP Port:  4054
02/16/2006 07:54:32.608 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4064, LAN -        UDP Port:  4064
02/16/2006 07:55:37.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4073, LAN -        UDP Port:  4073
02/16/2006 07:56:55.800 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4085, LAN -        UDP Port:  4085
02/16/2006 07:59:05.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4091, LAN -        UDP Port:  4091

Answer : Sonicwall TZ170 TCP, ICMP, and UDP packet from LAN / WAN Drop

Incidentally, all of the TCP packets that got dropped were split between 3 ports: 32821, 445, and 139.  Both 445 and 139 are quite well known to hackers.  Personally I am not familliar with 32821, but that doesn't mean much.

Based on the log, it looks like your firewall was doing it's job, but since the packets appear to have originated from inside your lan, I'd definately think a worm or bot is on a system somewhere.

The thing that scares me is that packets seem only to have dropped on random port numbers up list.  If it was allowing the traffic on all the ports in-between to get through, you might already have a BIG problem.
Random Solutions  
 
programming4us programming4us