Question to report of Network monitor

Question

Hi,
Here is details captured from report of Network monitor.

No. Time Source Destination Protocol Length Info
3 0.000000000 177.93.152.158 1??.??.??.??7 CLDAP 93 searchRequest(7) "<ROOT>" baseObject

Frame 3: 93 bytes on wire (744 bits), 93 bytes captured (744 bits)
Ethernet II, Src: Hangzhou_5a:c6:15 (50:da:00:5a:c6:15), Dst: Rebox_d9:18:9b (00:16:3c:d9:18:9b)
Internet Protocol Version 4, Src: 177.93.152.158, Dst: 103.15.21.107
User Datagram Protocol, Src Port: 25933, Dst Port: 389
Connectionless Lightweight Directory Access Protocol

I then have created relevant firewall rule like

netsh advfirewall firewall add rule name="NETRule21/03/2021 21:41:37_1" dir=in action=block remoteip=177.93.1.1-177.93.255.255

would this rule help to fight against any invalid attack/access?

Answer 1

Hi,

Sorry for my late reply since I was taking a holiday since last Friday.

Regarding of specific IP which was blocked by Windows Firewall, if you enable the firewall log, then we could check the firewall log to see if the traffic was blocked by Windows Firewall. In firewall log, if we find the traffic was dropped, the rules for blocking specific IP was initiated successfully in our firewall.

Attaching my test result for your reference. As you can see in the firewall log, we could receive traffic from the specific IP, once received, the traffic was dropped by windows firewall.

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thanks for posting in Q&A platform.

If you can verify that remote IP from 177.93.1.1 to 177.93.255.255 are unsecure, the rule that you created in firewall can block traffics from these IP effectively.

Please understand, analysis of network traffic is beyond our forum support level. If you want to know deeper about the Netmon results, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

You may find the phone number of your region in the following link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Sunny

----------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi Sunny,
Thanks for update. It means given firewall rule in above would help protect current server expectedly, right?

Answer 4

Hi Sunny,
Creating relevant rule is not helping so much. Can there be other protection?

Answer 5

Hi,
Do you mean, even if we have rule to block specific IP, there can be still traffic (or big) from any outside point (since the outside point/machine has decided to attack my current IP/machine)?

Do you think that Ethernet having over 1 Gbps traffic is so crazy to have?