Endpoint Protection

 View Only

  • 1.  Port Attack

    Posted Sep 02, 2015 03:53 PM

    I have seen several posting that port attacks logged on user's computers come from the router, but the IP address that the attack is coming from is an internal IP. I cannot ping the IP, it loads nothing in the browser, nor can I SSH into it. How do I find out what this device is that is port attacking only 1 spefiric user? I am unsure if I can trust it or not. Do i trust it and put in an exception because it is coming from an internal IP?



  • 2.  RE: Port Attack

    Posted Sep 02, 2015 03:57 PM

    You can't ping it or get to it because the traffic to/from is blocked for 600 seconds.

    Can you try from another machine? Can you resolve the hostname?



  • 3.  RE: Port Attack

    Posted Sep 02, 2015 04:01 PM

    I am actaully trying to ping it from another computer several hours after it was logged.

    The hostname does not resolve.



  • 4.  RE: Port Attack

    Posted Sep 03, 2015 01:02 AM

    what version of SEP are you using and what is ip address that is getting blocked ? are you sure that it is not the IP address of the router ?



  • 5.  RE: Port Attack

    Broadcom Employee
    Posted Sep 03, 2015 08:19 AM

    From the affected machines attach NTP --> Traffic logs, we would like to dig into it.

    Meanwhile go through this article as well: Automatically blocking connections to an attacking computer



  • 6.  RE: Port Attack

    Posted Sep 03, 2015 08:32 AM

    Temporarily disable the SEP firewall and try again.



  • 7.  RE: Port Attack

    Posted Sep 03, 2015 10:38 AM

    Can i grab the Traffic logs from the SEPM or does it have to be from the computer itself?



  • 8.  RE: Port Attack

    Broadcom Employee
    Posted Sep 03, 2015 11:55 AM

    Traffic logs from the computer itself.