IPSEC not blocking specific IP address per Ethereal
From: Alfredo (alfredo_at_KILL_SPAM_megapath.net)
Date: 04/18/05
- Next message: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Previous message: C Hall: "Re: Strange DNS problem"
- Next in thread: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Duane Arnold: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Herb Martin: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: T. Sean Weintz: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 18 Apr 2005 20:40:54 GMT
Win2k advanced server, updated service packs, IP sec with a few pinholes
for some daemons, port blocking working well per GRC's "Shields UP",
etc.
However, when I try to block a specific IP address by using IPSEC, the
packets get through anyway according to my ethereal sniffer which is
running on the same machine. I have added a very specific filter
against those IPs but ethereal still shows their packets getting in past
the front door.
(At least that's what I think is happening, it could be that ethereal is
capturing the packets before IPSEC gets to block them, which would be
worrisome because that would certainly be an exploitable
vulnerability.)
The hacker (a worm, really) is attacking ports 139 and 445. The packets
come in but my machine does not respond, probably because the port
blockers are working. Yes, I am blocking specific ports rather than
"everything else", I have my reasons, it's temporary, please ignore this
idiosyncracy, the filter against this IP is specific enough that IPSEC
should match it and block it.
Anyway when I try to block this specific IP from sending any packets at
all, it's as if the filter didn't do any work whatsoever. Ethereal
shows the evil packets coming in as they please.
Here is how I have configured IPSec:
IP FILTER LISTS:
httpd allow
smtpd allow
other daemons allow
VulnerablePorts block
evil ips block
EVIL IPS: (only 1 ip is "evil" right now)
Mirrored: yes
Description: ips known to be evil
Protocol: (I've tried both ANY and TCP)
Source Port: ANY
Dest Port: (I've tried ANY and 445 and 139)
Source DNS name: A specific IP addr
Source Address: aaa.bbb.ccc.ddd (the specific worm's IP)
Source Mask: 255.255.255.255
Destination DNS: Any IP address
Destination Address: (Tried both "My IP Addr" and "Any IP addr")
Destination Mask: 0.0.0.0
I then click OK all the way out so all IPSEC and MMC windows are closed,
but Ethereal shows the packets still flooding in from that IP.
Any ideas, tips, tricks, and rumors greatly appreciated. Thanks!
- Next message: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Previous message: C Hall: "Re: Strange DNS problem"
- Next in thread: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Steven L Umbach: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Duane Arnold: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: Herb Martin: "Re: IPSEC not blocking specific IP address per Ethereal"
- Reply: T. Sean Weintz: "Re: IPSEC not blocking specific IP address per Ethereal"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
