Re: [fw-wiz] Fw: Update on 1720/1863 (was: Re: OT? New compromise.)

this actually sounds very similar to what would typically happen with a proxy
firewall, where the proxy would accept the connection (sending the ack) and then
attempt to connect to the server on the other side (possibly several steps later
in the exchange, if the proxy does checking to see if the request appears to be
legit before bothering the host)

the fundamental lesson should be "don't try to scan through a firewall" you
don't know what the firewall could be doing that could bollox your scan.

David Lang

On Wed, 4 Apr 2007, Jim Seymour

Date: Wed, 4 Apr 2007 15:54:57 -0400 (EDT)
From: Jim Seymour <jseymour@xxxxxxxxxxx>
Reply-To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Fw: Update on 1720/1863 (was: Re: OT? New compromise.)

Mystery solved.


----- Begin Included Message -----

Date: Wed, 4 Apr 2007 14:13:33 -0400
From: Ereshkigal
Subject: Update on 1720/1863

Again, permission to cross-post granted. Hopefully, it will get
cross-posted to wherever it got cross-posted initially so that those
who have been fretting will be able to relax a bit.

It looks like this is actually not malicious, although it is, in my
opinion, Very Bad Form. It appears that there is a helper feature on
some of the firewalls that "a top 5 firewall vendor" produces that
causes the firewall to send an ACK to any probe that crosses the
firewall on ports 1720 and 1863 back to the originating host. This
is enabled by default. As far as I know so far, it's only on one type
of firewall by this vendor.

Basically, any and all connections attempts that we sent out to 1720
and 1863 that crossed this firewall returned an ACK. If we tried to
connect to the port on the IP, the firewall itself would accept the
connection. Yesterday, we stumbled on the fact that the firewall
would even take connections for IPs with no active hosts.

From the information that we've been able to get, this was discovered
this last week. The responses that we (and several others) were
seeing to 1720 and 1863 were actually outbound connection attempts
from our own hosts to the destination hosts that were intercepted and
returned by the firewall, giving the impression of running services on
the systems from anyone behind this particular type of firewall
anywhere in the route with the helper enabled.

I have heard of a few reports of people using IPTables and Netfilter
seeing this, too, but need to confirm that this particular firewall
isn't somewhere along the route between the two systems.

----- End Included Message -----

firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Asymmetric routing vs. pf
    ... I am in the process of trying to build up a new firewall cluster using ... hosts are connected to each other, running an iBGP session and PFSync. ... When I create such a connection ...
  • Re: I am having connectivity problems
    ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ...
  • Re: Serious Security Issue in Windows XP SP2s Firewall
    ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ...
  • RE: Serious Security Issue in Windows XP SP2s Firewall
    ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ...
  • Re: Still cant connect to RWW or OWA remotely
    ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ...