No subject


Sun Feb 20 16:52:19 PST 2005


by filtering"  - according to a description in "TCP/IP Illustrated Volume
1" for the references in the web page that cite the book. I have not found
the RFCs for some of the type/code combos yet annd I ref the book until I
find them. My RFC index is a bit old, and I need to update to have a more
complete list.)

Now for a test...

If you do have IP Masqerading on a host behind your gw/firewall/proxy that
is not a member of the 172.31/16 network, or you do not have
any routing entries on your gw/firewall/proxy that address
explicit hhandling for any IP addresses on the 172.31/16
network range then try to issue a ping for 172.31.105.12

Also try to connect up to a web page with netscape, or telnet to the same
host.

Since 172.[16-31]/16 are all private networks (as others like 10/24 etc)
it would make sense for your upstream router to be configured to not allow
traffic for these to pass out to the Internet. If they have such a policy,
they may be configured to respond to your host saying, "I am a router and
do not allow you to talk to this range of IP addresses" but send this
message as though it came from the IP addressyou were trying to ping.

It is also possible that a request for a telnet or web session (etc) with
that address would cause the upstream router to create an ICMP response to
tell your machine "don't go there"

I would try testing the above with connecting to IP addresses on reserved
networks to see if it produces similar messages.

One note of warning, you better have a lot of free disk space on your
logging tree (assuming /var/log) if you are logging a *lot* of your
ipchains violations. A DOS can be created against your logging systems if
they can fill up your logs. It can also be difficult (or possibly
impossible :-) for the logs to identify the actual src of the attack since
the attacker does not need to see any responses, forged src addresses can
be used - as long as it fills up your log file to the point ther actual
attack cannot be logged.

Perhaps I am too paranoid? Certainly, more elegant ways to fill up log
files exist, but it is just a word to the wise...

I hope this helps you out, and I would be interested in seeing if any of
the tests help to reprodue the same or similar log entries

BTW, I seem to recall you worked for Agilent. I have a student assistant
who is leaving us July 25 as she is graduating. Do you have a contact for
her to speak with someone about employment opportunities at Agilent? 
Agilent is high on her list as a place to offer her services as a new
graduate with an internship in our department nearing completion.

Thanks!
--ME

> > E Frank Ball III <frankb at efball.com> wrote:
> >> I got this probe today.  It is a ICMP connection to port 13?
> >> Anybody know what they were trying to do?   I've only seen ICMP
> >> connections to port 0 before. 
> >> 
> >> Security Violations
> >> =-=-=-=-=-=-=-=-=-=
> >> Jul  6 13:43:15 zouave kernel: Packet log: input DENY eth0 PROTO=1 
> >> 172.31.105.12:3 209.204.172.XXX:13 L=56 S=0x00 I=54743 F=0x0000 T=48 (#3) 
> >> 
> >> Also the source address is a private network address, the firewall rule
> >> that caught it was a one I put in for IP address spoofing.




More information about the talk mailing list