On our corporate network we're detecting workstations opening too many connections to the IP address 75.126.196.159 (port 3478) causing the Cisco ASA Firewall 5550 to detect a "SYN Attack" and reach its limit in terms of connections, causing a severe traffic degradation over the legit traffic.
We have Symantec Endpoint Protection (SEP) v12.1 with the latest definitions on every workstation, thus it does not detect any anomaly behavior.
As a mitigation mechanism I'm adding a local SEP (Firewall) rule to block all traffic inbound/outbound to the IP address in cause 75.126.196.159
Any other suggestion to mitigate and resolute this issue?
This port is used for STUN (Simple Traversal of UDP for NAT), which is used by VoIP in some cases. It is also used by the Apple FaceTime application. It could also be used by malware.
You may have unauthorized or incorrectly software on the workstations in question.
It is also possible your firewall is blocking legitimate traffic for one of the above services causing them to retry more frequently than normal.
I would expect FaceTime to stream traffic, but that would require an ongoing connection. I would expect the router to recognize this, but UDP is connectionless, so it might not. FaceTime may recover by switching to an alternate port, so it may not be obvious to your users that the port is being blocked.
EDIT: I've done a lookup on the IP address in question. Do a whois lookup on the IP address and contact the ip-admin or abuse address. Explain what you are seeing and see if they are willing to provide any information. It is unlikely they will want to host a command and control server, but they may not be willing to share information.
Given this particular address, I don't expect it was running a STUN server. This would lead me to wonder about malware. Investigate at least one of the offending devices to see which program is generating the traffic. (
netstatwill show the program on Unix/Linux, and the Windows firewall may have a rule allowing the traffic out.) If it is a legitimate program, then I would suspect misconfiguration. If not, you likely will need to clean up a malware infection. If it is spreading, disconnect all devices generating the SYN requests.As you are running SEP, I suspect these systems are running Windows. It may be able to identify the program sending the traffic.
A wget https request indicates the server is currently being used by swarmcdn.com Has anyone installed the Swarmify video software?
It sounds as though you are describing an issue already within your network - in which case if I were you I'd be taking the workstations communicating with said IP offline for a full complement of virus/malware/etc detection, as well as of course uncovering what is attempting to communicate with the IP you mention - and if at all possible, trying to ascertain how the software which is communicating with the offending IP came to be on the workstations in question in the first place.