Re: What is ipfw telling me ?

From: George.Giles@mcmail.vanderbilt.edu
Date: 06/29/01 

To: Peter Pentchev <roam@orbitel.bg>
From: George.Giles@mcmail.vanderbilt.edu
Date: Fri, 29 Jun 2001 11:16:52 -0500

I do not agree. Here's why:

      the ipfw is on 10.0.0.2 and does not have a web server.
     10.0.0.1 does.

I see a lot of these style attacks, various ports, various services used on
10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2
and the signature of the log is:

     attacker:port 10.0.0.1:port

It makes me think that somehow a proxy attack is going on.

The 10.x.x.x are not the actual addresses obviously.

George

                                                                                                                   
                    Peter
                    Pentchev To: George.Giles@mcmail.vanderbilt.edu
                    <roam@orbitel cc: freebsd-security@freebsd.org
                    .bg> Subject: Re: What is ipfw telling me ?
                                                                                                                   
                    06/29/2001
                    10:04 AM
                                                                                                                   
                                                                                                                   

On Fri, Jun 29, 2001 at 09:49:54AM -0500,
George.Giles@mcmail.vanderbilt.edu wrote:
> What is ipfw telling me ?
>
> The 216 host is attempting to break in, but how is it using port 80 on
the
> other machine ?
>
> ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0

The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection
attempt is from port 21602 (ephemeral, unique to this connection in
a certain timeframe) to port 80 on 10.0.0.1. That is, someone from
216.239.46.20 is trying to browse the web on 10.0.0.1.

G'luck,
Peter 

--
This sentence claims to be an Epimenides paradox, but it is lying.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Re: Adding Rules for Blackberry ES to ISA 2000 - SOLVED
    ... I found that their connection actually initiated a connection on port ... any lan machine to any outside host:: allow host to ... Note that in order to get outbound bes to work on an isa server (when ...
    (microsoft.public.isaserver)
  • Re: Adding Rules for Blackberry ES to ISA 2000 - SOLVED
    ... I found that their connection actually initiated a connection on port ... any lan machine to any outside host:: allow host to ... Note that in order to get outbound bes to work on an isa server (when ...
    (microsoft.public.isaserver)
  • Re: setting up RD without a VPN connection ?
    ... Remote Desktop only needs TCP Port 3389. ... > The PC in Brazil (the host) is connected via radio internet connection. ... The client cannot connect to the host. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Socket error when restarting host app
    ... TCP includes a mechanism to ensure that packets delayed by the network will ... not be accepted by another connection to the same host and port combination. ...
    (microsoft.public.dotnet.framework.remoting)
  • ICS and port-forwarding
    ... Does port forwarding work in XP? ... internet connection sharing features work fine, ... One client computer is running a web-server, and the host ... the client web-serving machine, the web server is ...
    (microsoft.public.windowsxp.network_web)