Question to report of Network monitor

Peter_1985 2,486 Reputation points
2021-03-22T05:49:12.403+00:00

Hi,
Here is details captured from report of Network monitor.

No. Time Source Destination Protocol Length Info
3 0.000000000 177.93.152.158 1??.??.??.??7 CLDAP 93 searchRequest(7) "<ROOT>" baseObject

Frame 3: 93 bytes on wire (744 bits), 93 bytes captured (744 bits)
Ethernet II, Src: Hangzhou_5a:c6:15 (50:da:00:5a:c6:15), Dst: Rebox_d9:18:9b (00:16:3c:d9:18:9b)
Internet Protocol Version 4, Src: 177.93.152.158, Dst: 103.15.21.107
User Datagram Protocol, Src Port: 25933, Dst Port: 389
Connectionless Lightweight Directory Access Protocol

I then have created relevant firewall rule like

netsh advfirewall firewall add rule name="NETRule21/03/2021 21:41:37_1" dir=in action=block remoteip=177.93.1.1-177.93.255.255

would this rule help to fight against any invalid attack/access?

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,368 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,108 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,270 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
512 questions
0 comments
Accepted answer
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2021-03-29T04:35:51.027+00:00

    Hi,

    Sorry for my late reply since I was taking a holiday since last Friday.

    Regarding of specific IP which was blocked by Windows Firewall, if you enable the firewall log, then we could check the firewall log to see if the traffic was blocked by Windows Firewall. In firewall log, if we find the traffic was dropped, the rules for blocking specific IP was initiated successfully in our firewall.

    Attaching my test result for your reference. As you can see in the firewall log, we could receive traffic from the specific IP, once received, the traffic was dropped by windows firewall.

    82148-image-3.jpg

    82225-image-2.jpg

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sunny Qi 10,896 Reputation points Microsoft Vendor
    2021-03-22T10:09:36.103+00:00

    Hi,

    Thanks for posting in Q&A platform.

    If you can verify that remote IP from 177.93.1.1 to 177.93.255.255 are unsecure, the rule that you created in firewall can block traffics from these IP effectively.

    Please understand, analysis of network traffic is beyond our forum support level. If you want to know deeper about the Netmon results, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

    You may find the phone number of your region in the following link:

    https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments
  2. Peter_1985 2,486 Reputation points
    2021-03-22T10:18:12.163+00:00

    Hi Sunny,
    Thanks for update. It means given firewall rule in above would help protect current server expectedly, right?

  3. Peter_1985 2,486 Reputation points
    2021-03-25T06:05:39.827+00:00

    Hi Sunny,
    Creating relevant rule is not helping so much. Can there be other protection?

  4. Peter_1985 2,486 Reputation points
    2021-03-25T07:08:54.553+00:00

    Hi,
    Do you mean, even if we have rule to block specific IP, there can be still traffic (or big) from any outside point (since the outside point/machine has decided to attack my current IP/machine)?

    Do you think that Ethernet having over 1 Gbps traffic is so crazy to have?

    0 comments