RE: Localhost packets on WAN

From: Frank Knobbe (frank_at_knobbe.us)
Date: 09/30/04

  • Next message: Kirby Angell: "Re: Localhost packets on WAN"
    To: "NESTING, DAVID M (SBCSI)" <dn3723@sbc.com>
    Date: Thu, 30 Sep 2004 16:39:30 -0500
    
    
    

    On Thu, 2004-09-30 at 10:00, NESTING, DAVID M (SBCSI) wrote:
    > Frequently, when the source port is 80 and the destination port is
    > "ephemeral", I find problems like this are usually caused by buggy or
    > misconfigured load balancers in front of a web site. Some load
    > balancers get your packet to the physical server by doing tricks with
    > the network stack.

    Good thought, could be. But this is easy to test. Just run tcpdump and
    sniff for those source IP and ephemeral ports (guess a range in advance
    is all is NATed to one IP). If you do see those leaving your network to
    some web site, then your theory applies. But if you don't see any such
    packets originating from your network, then these incoming packets are
    responses to spoofed packets. "Hanson's Blaster Theorem" applies :)

    (Of course it could be just someone sending crafted packets your way to
    keep you busy chasing a ghost.... make sure you don't have a security
    assessment or penetration test scheduled on your premises when those
    Internet flukes appear :)

    Cheers,
    Frank

    
    



  • Next message: Kirby Angell: "Re: Localhost packets on WAN"

    Relevant Pages

    • RE: [fw-wiz] terminal services
      ... > allow UDP inbound to high ports from port 53 or 123. ... namely being flooded by tons of possibly spoofed UDP packets aimes at my NTP ... forcing the attacker to use source port 53 and 123 respectively. ...
      (Firewall-Wizards)
    • Re: Initializing UDP Connection 55750 inc 55720
      ... I confusing the Source port and Destination port>designations? ... I have to sent my packets to devices local port of 55720 (my ...
      (comp.arch.embedded)
    • Re: [PATCH/RFC] netfilter: nf_conntrack_sip: Handle quirky Cisco phones
      ... Maybe a fix would be to use this "5060" port, ... any way to just trick Netfilter into thinking the source port was 5060 ... wouldn't be recognized as belonging to the same connection. ... The same problem exists with your current patch, packets from port ...
      (Linux-Kernel)
    • Re: [fw-wiz] terminal services
      ... > a good security decision to design a filter that attempts to allow ... > inbound packet having destination port 53. ... the source port (in the ... allow packets in only to ports 53 and 123, ...
      (Firewall-Wizards)
    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
      (SuSE)