[Full-Disclosure] RE: Reverse http traffic
From: Daniel H. Renner (dan_at_losangelescomputerhelp.com)
To: James C Slora Jr <Jim.Slora@phra.com> Date: 30 Dec 2003 15:09:29 -0800
Thank you for your reply James - I've put my answers below yours:
On Tue, 2003-12-30 at 14:18, James C Slora Jr wrote:
> Daniel H. Renner wrote Tuesday, December 30, 2003 15:33
> > I had a case recently wherein one of a client's systems
> > (Win2k) could not access http, or mail traffic. At the same time, 2 other
> > (Win95 and Xandros) could, and yet he could access all of the
> > other network shares via TCP.
> > I then installed a Linux firewall on a spare computer,
> > replaced the Linksys router with it and instantly his Win2k
> > was able to browse and get email.
> This sounds like it was a config problem on the Linksys router - dmz setup
> or port forwarding or something.
Could have been, but it was set for DHCP, and any other computer on the
LAN had no problem, and there was no dmz or port-forwarding setup in the
> > I checked the firewall logs and saw quite a few attempts from
> > a Google IP address (whois-ed, but I'm not ignoring that it
> > was possibly spoofed) that was sending IN traffic with a
> > source port of 80 and a destination port in the temporary
> > range (33xx) - eh???
> Which firewall logs and what time frame? The Linksys before the switchout,
> the Linux-based firewall after the switchout, or something else?
My appologies, since I never considered the Linksys/DLink/etc. routers
to be firewalls I've not addressed them as such - but I see others do
(remind self that other's terminologies must be used when talking to
The firewall in question is an IPCop machine (this is a fork of the
Smoothwall firewall project - www.ipcop.org) with no DHCP server,
port-forwarding or HTTP proxy running - just a plain brown box... The
incomings I saw were within approx. a 1-minute timeframe.
> A lot of things could cause incoming 80 -> 33xx traffic, most of them
> benign. Do you have any packet captures with flags and ACKs, etc? Were the
> mystery packets directed to the problem machine or to the router address?
> Can you give more details about which machines have private addresses and
> which have public Internet addresses? Was the Linksys firmware up to rev?
Unfortunately I am still enough of a Linux newbie that I have not
figured out how to add a sniffer into IPCop (I could install ntop
though...) but according to the firewall logs the traffic was pointed to
the external NIC on the IPCop computer specifically which is the only
public IP address on the LAN. All others are behind the IPCop's
internal/private IP addressed NIC, and there is no DMZ NIC on the
system, nor is it setup software-wise for one at the moment.
Also, all 6 updates of IPCop had been performed on the machine before
If what could cause this sort of traffic is "mostly benign" then I'll
have my goose-pimples set to "chill" - if not, then I'm still in "Eh?"
-- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html