RE: [fw-wiz] Odd PIX / router behavior

From: Melson, Paul (PMelson_at_sequoianet.com)
Date: 11/03/03

  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] iptables with ipchains param."
    To: <lordchariot@earthlink.net>, <firewall-wizards@honor.icsalabs.com>
    Date: Mon, 3 Nov 2003 08:59:52 -0500
    
    

    Unfortunately, I haven't had the opportunity to go on-site and put in
    place a proper sniffer to determine the nature of the packets. I
    attempted to do this somewhat using the PIX's 'debug packet' feature,
    but never saw anything. I am assuming this is because the packets
    aren't TCP/UDP/ICMP, but are instead a routing protocol such as BGP or
    EIGRP. But without a packet capture, I can't be sure.

    I was hoping to see what you're seeing (well, only in that it's easily
    identifiable), where the apparent source port is 80. The packets you're
    seeing aren't spoofed, but are a result of MS-Blaster or a variant
    thereof somewhere behind your firewall. Refer to the link in my initial
    post. It explains why the traffic appears the way it does on your
    firewall.

    PaulM

    -----Original Message-----
    Paul,
    When you saw the original spoofed traffic, what kind of packets were
    they?
    One of my customers is seeing similar behaviour on a significant amount
    of traffic and they are trying to pin it down.
    The packets we're seeing are
    Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only

    The firewall is blocking of course, but the traffic is unusually high.
    My first thought was a misconfigured internal host too, but sniffing the
    inside of the firewall show no sessions originating from any of the
    internal hosts.

    My second guess is some sort of misconfigured router that we are trying
    to pin down. We can't confirm this however.

    My last guess is an external attack which is why I'm wondering if the
    traffic is similar to what you saw?

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] iptables with ipchains param."