RE: [fw-wiz] Odd PIX / router behavior

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 11/03/03

  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] iptables with ipchains param."
    To: <lordchariot@earthlink.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 3 Nov 2003 08:59:52 -0500
    
    

    Unfortunately, I haven't had the opportunity to go on-site and put in
    place a proper sniffer to determine the nature of the packets. I
    attempted to do this somewhat using the PIX's 'debug packet' feature,
    but never saw anything. I am assuming this is because the packets
    aren't TCP/UDP/ICMP, but are instead a routing protocol such as BGP or
    EIGRP. But without a packet capture, I can't be sure.

    I was hoping to see what you're seeing (well, only in that it's easily
    identifiable), where the apparent source port is 80. The packets you're
    seeing aren't spoofed, but are a result of MS-Blaster or a variant
    thereof somewhere behind your firewall. Refer to the link in my initial
    post. It explains why the traffic appears the way it does on your
    firewall.

    PaulM

    -----Original Message-----
    Paul,
    When you saw the original spoofed traffic, what kind of packets were
    they?
    One of my customers is seeing similar behaviour on a significant amount
    of traffic and they are trying to pin it down.
    The packets we're seeing are
    Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only

    The firewall is blocking of course, but the traffic is unusually high.
    My first thought was a misconfigured internal host too, but sniffing the
    inside of the firewall show no sessions originating from any of the
    internal hosts.

    My second guess is some sort of misconfigured router that we are trying
    to pin down. We can't confirm this however.

    My last guess is an external attack which is why I'm wondering if the
    traffic is similar to what you saw?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] iptables with ipchains param."

    Relevant Pages

    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
      (comp.os.linux.networking)
    • Re: Trouble accessing Outlook Web Access from behind firewall
      ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
      (comp.security.firewalls)
    • Re: Visnetic and 8signs firewall LOOPHOLE Read....
      ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
      (comp.security.firewalls)
    • Re: port 80 is open
      ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
      (comp.security.firewalls)
    • Re: strange network traffic
      ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
      (Security-Basics)