question

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 asked SunnyQi-MSFT edited

Question to report of Network monitor

Hi,
Here is details captured from report of Network monitor.

No. Time Source Destination Protocol Length Info
3 0.000000000 177.93.152.158 1??.??.??.??7 CLDAP 93 searchRequest(7) "<ROOT>" baseObject

Frame 3: 93 bytes on wire (744 bits), 93 bytes captured (744 bits)
Ethernet II, Src: Hangzhou_5a:c6:15 (50:da:00:5a:c6:15), Dst: Rebox_d9:18:9b (00:16:3c:d9:18:9b)
Internet Protocol Version 4, Src: 177.93.152.158, Dst: 103.15.21.107
User Datagram Protocol, Src Port: 25933, Dst Port: 389
Connectionless Lightweight Directory Access Protocol

I then have created relevant firewall rule like

netsh advfirewall firewall add rule name="NETRule21/03/2021 21:41:37_1" dir=in action=block remoteip=177.93.1.1-177.93.255.255

would this rule help to fight against any invalid attack/access?


windows-serverwindows-10-networkwindows-server-2016windows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
1 Vote"
SunnyQi-MSFT answered

Hi,

Sorry for my late reply since I was taking a holiday since last Friday.

Regarding of specific IP which was blocked by Windows Firewall, if you enable the firewall log, then we could check the firewall log to see if the traffic was blocked by Windows Firewall. In firewall log, if we find the traffic was dropped, the rules for blocking specific IP was initiated successfully in our firewall.

Attaching my test result for your reference. As you can see in the firewall log, we could receive traffic from the specific IP, once received, the traffic was dropped by windows firewall.

82148-image-3.jpg


82225-image-2.jpg

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-3.jpg (45.5 KiB)
image-2.jpg (104.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
1 Vote"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

If you can verify that remote IP from 177.93.1.1 to 177.93.255.255 are unsecure, the rule that you created in firewall can block traffics from these IP effectively.

Please understand, analysis of network traffic is beyond our forum support level. If you want to know deeper about the Netmon results, I would suggest you open a case with Microsoft where more in-depth investigation can be done so that you would get a more satisfying explanation to this question.

You may find the phone number of your region in the following link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered SunnyQi-MSFT commented

Hi Sunny,
Thanks for update. It means given firewall rule in above would help protect current server expectedly, right?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jackson,

Yes, you're right.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·
Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered SunnyQi-MSFT commented

Hi Sunny,
Creating relevant rule is not helping so much. Can there be other protection?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

Thanks for your feedback.

If we add a rule in Inbound of Windows Defender Firewall to block traffic from the specific IP, the normal behavior is traffic from the specific IP can be sent to our local machine and our machine can receive this traffic, but since we have enabled inbound rule in windows firewall to block traffic from this IP, this traffic will be dropped by the rule in firewall.

If we need the specific IP cannot sent the traffic to our local machine, I would suggest you located to the device with the specific IP and block the outgoing traffic from its side.

Best Regards,
Sunny

0 Votes 0 ·
Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 edited

Hi,
Do you mean, even if we have rule to block specific IP, there can be still traffic (or big) from any outside point (since the outside point/machine has decided to attack my current IP/machine)?

Do you think that Ethernet having over 1 Gbps traffic is so crazy to have?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered SunnyQi-MSFT commented

Hi Sunny,
Does it mean whatever IP being rejected by Firewall rules, would not be able to annoy server/machine, by producing lots of heavy traffic, right?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes. If we block the traffic from specific IP, our windows machine can receive traffic but once received, the traffic will be blocked by firewall. You could refer to my firewall log.

0 Votes 0 ·
Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered

Hi,
Is relevant details (rejected by firewall) still part of Ethernet's traffic reported below?
82312-a27.png



a27.png (26.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

I have tested in my lab. If the traffic has been blocked by Windows Firewall, then it will not be reported in Ethernet in Performance tag of Task manager.

82247-image-4.jpg

82326-image-5.jpg

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-4.jpg (165.9 KiB)
image-5.jpg (56.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered SunnyQi-MSFT edited

Thanks a lot.
One last thing, will the rule below be blocking whatever traffic, regarding UDP, ICMP, and TCP, right?

netsh advfirewall firewall add rule name="NETRule28/03/2021 14:13:06_1" dir=out action=block remoteip=73.13.1.1-73.13.255.255


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Jackson,

Thanks for your feedback.

Yes, you're right. The protocol type=any.

Please help to accept the useful answer if you want to end up this thread.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 Votes 0 ·