Re: Possible attack scenario

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/15/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 15 Apr 2002 17:24:43 +0000 (UTC)


[Part 1]

< Todd Urie
>I have a Redhat 7.2 system installed with firewall using iptables. My
>iptables setup logs all packets that are dropped by the firewall.

Looks for me you don't drop but just loged according to the name "IN:".

>Since I
>have had the logging enabled, I have seen what appears to be an attempted
>attack scenario. I was wondering if this was really the case or am I just
>seeing something 'normal'.

I guess this is a global load balancers traffics that measure round trip
time except SYN packet coming from 12.251.159.195 at 14:11.

My global load balancers scenario:
1) ICMP echo request.
2) UDP port 53.
3) TCP ACK-SYN port 53. measure round trip time.

8<
>Any comments would be greatly appreciated.

Welcome.

>I am trying to learn what to look for and what to ignore.

Yes, you should decide your security policy.

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the packet.
http://www.tuxedo.org/~esr/faqs/smart-questions.html
Volume is not precision
You need to be precise and informative. This end is not served by simply 
dumping huge volumes of code or data into a help request. If you have a 
large, complicated test case that is breaking a program, try to trim it 
and make it as small as possible.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
    (comp.os.linux.networking)
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
    (comp.security.firewalls)
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
    (comp.security.firewalls)
  • Re: port 80 is open
    ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
    (comp.security.firewalls)
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
    (Security-Basics)