RE: [fw-wiz] Odd PIX / router behavior
From: Melson, Paul (PMelson_at_sequoianet.com)
To: <firstname.lastname@example.org>, <email@example.com> Date: Mon, 3 Nov 2003 08:59:52 -0500
Unfortunately, I haven't had the opportunity to go on-site and put in
place a proper sniffer to determine the nature of the packets. I
attempted to do this somewhat using the PIX's 'debug packet' feature,
but never saw anything. I am assuming this is because the packets
aren't TCP/UDP/ICMP, but are instead a routing protocol such as BGP or
EIGRP. But without a packet capture, I can't be sure.
I was hoping to see what you're seeing (well, only in that it's easily
identifiable), where the apparent source port is 80. The packets you're
seeing aren't spoofed, but are a result of MS-Blaster or a variant
thereof somewhere behind your firewall. Refer to the link in my initial
post. It explains why the traffic appears the way it does on your
When you saw the original spoofed traffic, what kind of packets were
One of my customers is seeing similar behaviour on a significant amount
of traffic and they are trying to pin it down.
The packets we're seeing are
Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only
The firewall is blocking of course, but the traffic is unusually high.
My first thought was a misconfigured internal host too, but sniffing the
inside of the firewall show no sessions originating from any of the
My second guess is some sort of misconfigured router that we are trying
to pin down. We can't confirm this however.
My last guess is an external attack which is why I'm wondering if the
traffic is similar to what you saw?
firewall-wizards mailing list