Skip to main content
badnerone
badnerone
Visitor III
September 1, 2017
Question

Unknown Wan Traffic

  • September 1, 2017
  • 1 reply
  • 5174 views

Hi,

After I updated my Fortigate 60D to 5.6.2,

 

During  the day for about 10 mins and every 30 mins and in mainly from 11.00 - 16.00 ( +2 Italy time ) the box make outbound traffic to apparently random ip's like bottom log. The outbound bandwidth is over the my maximum line capacity ( 2mbit/s max ), traffic widget indicate 8 - 10 mbit/s...

THERE ARE NO DEVICES IN THE INTERNAL SIDE OF FIREWALL GENERATING THIS TRAFFIC.

 

What it is?

 

Traffic example generated with:

diagnose sniffer packet wan2 'udp and udp port not 4500 and port not 500'

 

where wan2 ip is: 10.0.222.2/24

gateway is : 10.0.222.1

 

195.746724 10.0.222.2 -> 108.30.97.227:  ip-proto-17 (frag 14928:1480@1480+) 195.746772 10.0.222.2 -> 108.30.97.227:  ip-proto-17 (frag 14928:977@2960) 195.750042 96.239.34.237.45728 -> 10.0.222.2.53: udp 42 195.752212 10.0.222.2.53 -> 96.239.34.237.45728: udp 3929 (frag 36641:1480@0+) 195.752279 10.0.222.2 -> 96.239.34.237:  ip-proto-17 (frag 36641:1480@1480+) 195.752323 10.0.222.2 -> 96.239.34.237:  ip-proto-17 (frag 36641:977@2960) 195.763911 96.239.34.73.13720 -> 10.0.222.2.53: udp 42 195.765778 10.0.222.2.53 -> 96.239.34.73.13720: udp 3929 (frag 25333:1480@0+) 195.765841 10.0.222.2 -> 96.239.34.73:  ip-proto-17 (frag 25333:1480@1480+) 195.765885 10.0.222.2 -> 96.239.34.73:  ip-proto-17 (frag 25333:977@2960) 195.804808 96.239.34.142.8502 -> 10.0.222.2.53: udp 42 195.806905 10.0.222.2.53 -> 96.239.34.142.8502: udp 3929 (frag 55854:1480@0+) 195.806975 10.0.222.2 -> 96.239.34.142:  ip-proto-17 (frag 55854:1480@1480+) 195.807019 10.0.222.2 -> 96.239.34.142:  ip-proto-17 (frag 55854:977@2960) 195.846452 96.239.34.56.39994 -> 10.0.222.2.53: udp 42 195.848306 10.0.222.2.53 -> 96.239.34.56.39994: udp 3929 (frag 25046:1480@0+) 195.848375 10.0.222.2 -> 96.239.34.56:  ip-proto-17 (frag 25046:1480@1480+) 195.848420 10.0.222.2 -> 96.239.34.56:  ip-proto-17 (frag 25046:977@2960) 195.936198 96.239.34.159.37187 -> 10.0.222.2.53: udp 42 195.938360 10.0.222.2.53 -> 96.239.34.159.37187: udp 3929 (frag 13557:1480@0+) 195.938436 10.0.222.2 -> 96.239.34.159:  ip-proto-17 (frag 13557:1480@1480+) 195.938482 10.0.222.2 -> 96.239.34.159:  ip-proto-17 (frag 13557:977@2960) 195.961259 108.30.97.181.55902 -> 10.0.222.2.53: udp 42 195.963349 10.0.222.2.53 -> 108.30.97.181.55902: udp 3929 (frag 48810:1480@0+) 195.963417 10.0.222.2 -> 108.30.97.181:  ip-proto-17 (frag 48810:1480@1480+) 195.963463 10.0.222.2 -> 108.30.97.181:  ip-proto-17 (frag 48810:977@2960) 195.986141 10.0.222.2.65167 -> 192.168.131.188.161: udp 78 196.213749 96.239.34.174.17304 -> 10.0.222.2.53: udp 42 196.216424 10.0.222.2.53 -> 96.239.34.174.17304: udp 3929 (frag 34689:1480@0+) 196.216494 10.0.222.2 -> 96.239.34.174:  ip-proto-17 (frag 34689:1480@1480+) 196.216539 10.0.222.2 -> 96.239.34.174:  ip-proto-17 (frag 34689:977@2960)

    1 reply

    rwpatterson
    rwpatterson
    New Member
    September 1, 2017

    That appears to be DNS traffic. Check the firewall DNS settings. It appears it is searching for a DNS server and not reaching one (quickly at least) and is generating more requests outbound.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    September 1, 2017

    I would seriously doubt that this is legitimate DNS traffic - the packet size is far too large (3 KB?).

    Then, 96.239.34.237 is not an external DNS as far as I can see. You will know better.

     

    If this is not DNS traffic then some app is tunneling across the DNS port, and that most probably is malicious.

     

    But besides all the worries about the content it appears that many packets are fragmented. Check the MTU your line can sustain without fragmenting (using the ping method). This is not common to see in sniffer output.

    badnerone
    badneroneAuthor
    Visitor III
    September 1, 2017

    rwpatterson wrote:

    That appears to be DNS traffic. Check the firewall DNS settings. It appears it is searching for a DNS server and not reaching one (quickly at least) and is generating more requests outbound.

    thanks for answer, My system dns was two internal domain controllers, of which the secondary is actually off. Now I set Fortinet DNS's servers and I wait and see.

     

    ede_pfau wrote:

    I would seriously doubt that this is legitimate DNS traffic - the packet size is far too large (3 KB?).

    Then, 96.239.34.237 is not an external DNS as far as I can see. You will know better.

     

    If this is not DNS traffic then some app is tunneling across the DNS port, and that most probably is malicious.

     

    But besides all the worries about the content it appears that many packets are fragmented. Check the MTU your line can sustain without fragmenting (using the ping method). This is not common to see in sniffer output.

    hi,

    1 - While this issue happened, I disconnected all internal LANs, but high traffic still run.

    2 - I'm not deep expert in tcp protocol and diagnose sniffer command, but the packets with ip-proto-17 ( frag:23xxx ) notation start to appear only while the issue is running.

    a lot of thanks for your answers.

    Terms & ConditionsAccessibility statement