Re: Possible attack scenario

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 04/15/02

From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Mon, 15 Apr 2002 17:24:43 +0000 (UTC)

[Part 1]

< Todd Urie
>I have a Redhat 7.2 system installed with firewall using iptables. My
>iptables setup logs all packets that are dropped by the firewall.

Looks for me you don't drop but just loged according to the name "IN:".

>Since I
>have had the logging enabled, I have seen what appears to be an attempted
>attack scenario. I was wondering if this was really the case or am I just
>seeing something 'normal'.

I guess this is a global load balancers traffics that measure round trip
time except SYN packet coming from at 14:11.

My global load balancers scenario:
1) ICMP echo request.
2) UDP port 53.
3) TCP ACK-SYN port 53. measure round trip time.

>Any comments would be greatly appreciated.


>I am trying to learn what to look for and what to ignore.

Yes, you should decide your security policy.

Regards, RainbowHat. To spoof or not to spoof, that is the packet.
Volume is not precision
You need to be precise and informative. This end is not served by simply 
dumping huge volumes of code or data into a help request. If you have a 
large, complicated test case that is breaking a program, try to trim it 
and make it as small as possible.

Relevant Pages

  • Re: iptables and dhcp
    ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
  • Re: Trouble accessing Outlook Web Access from behind firewall
    ... When starting the firewall I also set ... > rejected and dropped packets are logged, however I see nothing in my log ... > # Higher ports needed to accept incoming/outgoing calls ...
  • Re: Visnetic and 8signs firewall LOOPHOLE Read....
    ... I said I am just reporting bug in your Firewall, ... From the Port Scan/Properties control screen: ... The firewall filtered 100% of the packets that were received. ... operating system (I'm talking Windows, ...
  • Re: port 80 is open
    ... The firewall drops all packets initiated ... > internet the ISP router does not send the unreachable message. ... and then close the connection as your IP is seen as not connected. ...
  • Re: strange network traffic
    ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...