Skip to main content
Jeff_the_Network_Guy
Jeff_the_Network_Guy
New Member
October 2, 2015
Question

What exactly does this mean?

  • October 2, 2015
  • 1 reply
  • 46867 views

We run a remote desktop server farm that our customers log into from their offices.  I've been taking a look at one customer's branch office's connectivity challenges and I noticed a bunch of events in the Threat log.   This particular office location keeps getting disconnected, and I want to check my side of things before I ask them to check their side.  Here's what I've seen in the log:

 

 

# Threat Type Event Date/Time Source Threat Level Destination Application Name Sent / Received Action 1 Failed Connection Attempts Failed Connection Attempts 13:51:49 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 87.45 KB / 173.79 KB timeout 2 Failed Connection Attempts Failed Connection Attempts 13:08:53 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 3 Failed Connection Attempts Failed Connection Attempts 13:08:53 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 4 Failed Connection Attempts Failed Connection Attempts 13:01:45 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 5 Failed Connection Attempts Failed Connection Attempts 13:01:45 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 6 Failed Connection Attempts Failed Connection Attempts 12:59:32 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 7 Failed Connection Attempts Failed Connection Attempts 12:59:32 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 8 Failed Connection Attempts Failed Connection Attempts 12:59:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 9 Failed Connection Attempts Failed Connection Attempts 12:59:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 10 Failed Connection Attempts Failed Connection Attempts 12:41:34 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 11 Failed Connection Attempts Failed Connection Attempts 12:41:34 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 12 Failed Connection Attempts Failed Connection Attempts 12:24:28 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 13 Failed Connection Attempts Failed Connection Attempts 12:24:28 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 14 Failed Connection Attempts Failed Connection Attempts 12:24:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 15 Failed Connection Attempts Failed Connection Attempts 12:24:16 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 16 Failed Connection Attempts Failed Connection Attempts 11:48:10 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 17 Failed Connection Attempts Failed Connection Attempts 11:48:10 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 18 Failed Connection Attempts Failed Connection Attempts 10:59:39 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 19 Failed Connection Attempts Failed Connection Attempts 10:59:39 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 20 Failed Connection Attempts Failed Connection Attempts 10:59:24 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 21 Failed Connection Attempts Failed Connection Attempts 10:59:24 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 22 Failed Connection Attempts Failed Connection Attempts 10:54:50 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 83.43 KB / 153.48 KB timeout 23 Failed Connection Attempts Failed Connection Attempts 10:54:50 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn 24 Failed Connection Attempts Failed Connection Attempts 10:50:41 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx RDP 101.02 KB / 129.44 KB timeout 25 Failed Connection Attempts Failed Connection Attempts 10:50:41 99.xxx.xxx.xxx Low 207.xxx.xxx.xxx Unknown ip-conn

 

A more detailed event looks like this:

# 4 Action ip-conn Application Category unscanned Date/Time 15:55:33 Destination 207.xxx.xxx.xxx Destination Interface LAN Destination Port 3389 Event Failed Connection Attempts Level Log ID 11 Policy ID 1 Policy UUID 4da239a2-6e08-51e4-d0af-965838f35eb4 Protocol tcp Protocol Number 6 Sequence Number 22296805 Source 99.xxx.xxx.xxx Source Interface port1 Source Port 52202 Sub Type forward Threat 262144 Threat Level Low Threat Level low Threat Score 5 Threat Type Failed Connection Attempts Timestamp 10/2/2015, 3:55:33 PM Virtual Domain root

 

I'm not sure if this is something to be concerned with, or if it is a sign of a greater problem.  I have not been able to try to correlate the events as of yet.  The current Firewall that this is going through is a Fortigate 300C running v5.2.4,build688 (GA).  If nothing else, I'd love to know what "ip-conn" stand for.  IP connection reset?  Any hint would be helpful.

 

 

 

1 reply

ede_pfau
SuperUser
ede_pfau
SuperUser
October 2, 2015

Well, there are 2 reasons for a "failed connection attempt": legitimate traffic or malicious login attack. I'd suspect the latter - you could find evidence for this thesis by comparing the source IPs to the WAN IPs for your legitimate users/offices.

 

From what I see I believe you are allowing TCP/3389 directly from WAN to your servers. Am I right? If so, that's what I would call a real problem. Why don't you let the user dial in via (IPsec or SSL) VPN and then use RDP over a secure channel? Not that VPN gateway will not be attacked - but it takes a lot more effort to be successful with it than with attacking a server directly.

Terms & ConditionsAccessibility statement