Re: Possible attack scenario

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/15/02

• Next message: RainbowHat: "Re: Possible attack scenario"
• Previous message: James Riden: "Re: Questions Regarding Workable SOHO Windows Installation / Configuration, Diagnostics, & Security Options ver. 2.03 ~ several Kb Please follow up in comp.security.misc"
• In reply to: Todd Urie: "Possible attack scenario"
• Next in thread: RainbowHat: "Re: Possible attack scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 15 Apr 2002 17:24:43 +0000 (UTC)

[Part 1]

< Todd Urie
>I have a Redhat 7.2 system installed with firewall using iptables. My
>iptables setup logs all packets that are dropped by the firewall.

Looks for me you don't drop but just loged according to the name "IN:".

>Since I
>have had the logging enabled, I have seen what appears to be an attempted
>attack scenario. I was wondering if this was really the case or am I just
>seeing something 'normal'.

I guess this is a global load balancers traffics that measure round trip
time except SYN packet coming from 12.251.159.195 at 14:11.

My global load balancers scenario:
1) ICMP echo request.
2) UDP port 53.
3) TCP ACK-SYN port 53. measure round trip time.

8<
>Any comments would be greatly appreciated.

Welcome.

>I am trying to learn what to look for and what to ignore.

Yes, you should decide your security policy.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the packet.
http://www.tuxedo.org/~esr/faqs/smart-questions.html
Volume is not precision
You need to be precise and informative. This end is not served by simply 
dumping huge volumes of code or data into a help request. If you have a 
large, complicated test case that is breaking a program, try to trim it 
and make it as small as possible.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

---

• Next message: RainbowHat: "Re: Possible attack scenario"
• Previous message: James Riden: "Re: Questions Regarding Workable SOHO Windows Installation / Configuration, Diagnostics, & Security Options ver. 2.03 ~ several Kb Please follow up in comp.security.misc"
• In reply to: Todd Urie: "Possible attack scenario"
• Next in thread: RainbowHat: "Re: Possible attack scenario"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: iptables and dhcp ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ... (comp.os.linux.networking) Re: Trouble accessing Outlook Web Access from behind firewall ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ... (comp.security.firewalls) Re: Visnetic and 8signs firewall LOOPHOLE Read.... ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ... (comp.security.firewalls) Re: port 80 is open ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ... (comp.security.firewalls) Re: strange network traffic ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2002-04