Re: [fw-wiz] Fw: Update on 1720/1863 (was: Re: OT? New compromise.)

Hash: SHA1

Was the offending vendor named so folks can make a proper informed
decision on security perimeter devices?


Ron DuFresne

On Wed, 4 Apr 2007, Jim Seymour wrote:

Mystery solved.


----- Begin Included Message -----

Date: Wed, 4 Apr 2007 14:13:33 -0400
From: Ereshkigal
Subject: Update on 1720/1863

Again, permission to cross-post granted. Hopefully, it will get
cross-posted to wherever it got cross-posted initially so that those
who have been fretting will be able to relax a bit.

It looks like this is actually not malicious, although it is, in my
opinion, Very Bad Form. It appears that there is a helper feature on
some of the firewalls that "a top 5 firewall vendor" produces that
causes the firewall to send an ACK to any probe that crosses the
firewall on ports 1720 and 1863 back to the originating host. This
is enabled by default. As far as I know so far, it's only on one type
of firewall by this vendor.

Basically, any and all connections attempts that we sent out to 1720
and 1863 that crossed this firewall returned an ACK. If we tried to
connect to the port on the IP, the firewall itself would accept the
connection. Yesterday, we stumbled on the fact that the firewall
would even take connections for IPs with no active hosts.

From the information that we've been able to get, this was discovered
this last week. The responses that we (and several others) were
seeing to 1720 and 1863 were actually outbound connection attempts
from our own hosts to the destination hosts that were intercepted and
returned by the firewall, giving the impression of running services on
the systems from anyone behind this particular type of firewall
anywhere in the route with the helper enabled.

I have heard of a few reports of people using IPTables and Netfilter
seeing this, too, but need to confirm that this particular firewall
isn't somewhere along the route between the two systems.

----- End Included Message -----

firewall-wizards mailing list

- --
admin & senior security consultant:
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

-Tom Robbins <Still Life With Woodpecker>
Version: GnuPG v1.4.5 (GNU/Linux)

firewall-wizards mailing list

Relevant Pages

  • Re: Why most run Microsoft, not RedHat
    ... We have an enterprise grade firewall behind the router. ... Any respectable AV vendor will have a sample the moment anyone reports it. ... She knows about dubious emails. ... Would you know if it was sending a few pieces of spam email now and then - or making a few web site hits to run up someone's ad counters? ...
  • Re: Firewall - Very limited Access - suggestions
    ... we'd like VERY LIMITED access by the Windows ... They do not need to know what firewall ... protocols and hosts and if their tools are firewall ... Then with the necessary info from the vendor the questions to groups ...
  • Re: Firewall Load Testing
    ... > least to get at least 40,000 simultaneous connections. ... sniffing the traffic generated by the other side) and you let the firewall ... Of course you need at least two hosts, ... This list is provided by the SecurityFocus Security Intelligence Alert ...
  • RE: [fw-wiz] CERT vulnerability note VU# 539363
    ... Vendor Statement ... NetScreen has studied the issues raised in this vulnerability alert. ... netscreens claims on the single side of the 'two' attack methods ... >> In my opinion if a stateful firewall claims it can filter at rate X ...
  • RE: [fw-wiz] CERT vulnerability note VU# 539363
    ... I've looed a bit more at the CERT site. ... Vendor Statement ... eliminate the impact of any of the proposed DoS attacks. ... >> In my opinion if a stateful firewall claims it can filter at rate X ...