RE: [fw-wiz] Odd PIX / router behavior

From: Paul Robertson (proberts_at_patriot.net)
Date: 10/31/03 

To: lordchariot@earthlink.net
Date: Fri, 31 Oct 2003 17:10:21 -0500 (EST)

On Fri, 31 Oct 2003 lordchariot@earthlink.net wrote:

> Paul,

[The other Paul answers...]

> When you saw the original spoofed traffic, what kind of packets were
> they?
> One of my customers is seeing similar behaviour on a significant amount
> of traffic and they are trying to pin it down.
> The packets we're seeing are
> Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only
>
> The firewall is blocking of course, but the traffic is unusually high.
> My first thought was a misconfigured internal host too, but sniffing the
> inside of the firewall show no sessions originating from any of the
> internal hosts.
>
> My second guess is some sort of misconfigured router that we are trying
> to pin down. We can't confirm this however.
>
> My last guess is an external attack which is why I'm wondering if the
> traffic is similar to what you saw?

This is a worm artificat. Nachi if I recall correctly.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] Question about setting up PIX firewall
    ... > I would strongly disagree Paul. ... firewall there ... > amount of access while the user is connected to the vpn. ... But if you could find a client *and* compromise it, ...
    (Firewall-Wizards)
  • Re: how to share internet connection in fedora
    ... Dear Paul, the first answer stile "if you don´t really tell us WHAT you need, we cannot provide you any kind of solution" was and is perfectly acceptable. ... > there is a basic firewall configuration utility in the distro. ... >> can u plz explain me how to share internet connection in fedora os ... > the machinations of the wicked." ...
    (Fedora)
  • Re: redirection on network
    ... Paul T. ... I guess this is a question for the XP-firewall people. ... CE can access the XP box with no firewall and can access w2003s and vista ...
    (microsoft.public.windowsce.embedded)
  • Re: Microsoft has just released a public beta of Microsoft ActiveSync 4.2
    ... Paul T. ... I've got a Windows Mobile 2003 device sitting on the ... same PC that works perfectly and yet the new architecture which uses ... disabling of firewall settings or disabling the firewall. ...
    (microsoft.public.pocketpc.activesync)
  • RE: [fw-wiz] Odd PIX / router behavior
    ... place a proper sniffer to determine the nature of the packets. ... thereof somewhere behind your firewall. ... My first thought was a misconfigured internal host too, ...
    (Firewall-Wizards)