Re: What is ipfw telling me ?
From: Peter Pentchev (roam@orbitel.bg)
Date: 06/29/01
- Next message: Peter C. Lai: "Re: What is ipfw telling me ?"
- Previous message: George.Giles@mcmail.vanderbilt.edu: "Re: What is ipfw telling me ?"
- In reply to: George.Giles@mcmail.vanderbilt.edu: "Re: What is ipfw telling me ?"
- Next in thread: Dag-Erling Smorgrav: "Re: What is ipfw telling me ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Jun 2001 19:29:25 +0300 From: Peter Pentchev <roam@orbitel.bg> To: George.Giles@mcmail.vanderbilt.edu
On Fri, Jun 29, 2001 at 11:16:52AM -0500, George.Giles@mcmail.vanderbilt.edu wrote:
>
> I do not agree. Here's why:
>
> the ipfw is on 10.0.0.2 and does not have a web server.
> 10.0.0.1 does.
>
> I see a lot of these style attacks, various ports, various services used on
> 10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2
> and the signature of the log is:
>
> attacker:port 10.0.0.1:port
>
> It makes me think that somehow a proxy attack is going on.
>
> The 10.x.x.x are not the actual addresses obviously.
Look. The ipfw logs (as you could easily test yourself) list the source
and destination addresses of a TCP or UDP packet as saddr:sport daddr:dport.
The log line you pasted clearly means that there was a TCP packet from
216.blah port 21602 (clearly ephemeral) to 10.0.0.1 port 80. Somebody
is trying to reach port 80 on 10.0.0.1.
If 10.0.0.1 is not directly reachable, then this might very well be
a packet translated by a NAT (a.k.a masquerading in the Linux world)
gateway. It might be a proxy attack, but this depends on the structure
of your network. All the log says is that 216.blah is trying to connect
to the webserver on 10.0.0.1, and that's a fact.
G'luck,
Peter
-- This sentence claims to be an Epimenides paradox, but it is lying. > Peter > Pentchev To: George.Giles@mcmail.vanderbilt.edu > <roam@orbitel cc: freebsd-security@freebsd.org > .bg> Subject: Re: What is ipfw telling me ? > > 06/29/2001 > 10:04 AM > > > > > > On Fri, Jun 29, 2001 at 09:49:54AM -0500, > George.Giles@mcmail.vanderbilt.edu wrote: > > What is ipfw telling me ? > > > > The 216 host is attempting to break in, but how is it using port 80 on > the > > other machine ? > > > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 > > The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection > attempt is from port 21602 (ephemeral, unique to this connection in > a certain timeframe) to port 80 on 10.0.0.1. That is, someone from > 216.239.46.20 is trying to browse the web on 10.0.0.1. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
- Next message: Peter C. Lai: "Re: What is ipfw telling me ?"
- Previous message: George.Giles@mcmail.vanderbilt.edu: "Re: What is ipfw telling me ?"
- In reply to: George.Giles@mcmail.vanderbilt.edu: "Re: What is ipfw telling me ?"
- Next in thread: Dag-Erling Smorgrav: "Re: What is ipfw telling me ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
