OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Odd Firewall Entries
From: Eric Vyncke (evynckeCISCO.COM)
Date: Wed Apr 26 2000 - 07:08:37 CDT

NHRP is indeed a protocol used by routers to find routing
'short-cuts' in some NBMA networks.

NBMA network means non broadcast multiple access network like X.25 or ATM or GRE.
Ethernet is a broadcast multiple access (everyone receives the traffic),
NBMA network can send to multiple recipients but one per one over
a 'circuit' or SVC or tunnel.

Now, NHRP is used when you have defined a X.25 SVC between routers A and
B and defined another X.25 SVC between routers B and C. Without NHRP, all
the traffic going from A to C will transit through B. With NHRP, A will
'discover' router C and establish a direct X.25 SVC between A and C.

Getting NHRP from the Internet is quite surprising... May be you are using
GRE tunnels for extranet applications ?

Just my 0.01 EUR of networking

Hope this helps

-eric

At 16:07 24/04/2000 -0400, Ed Padin wrote:
>Well, I found a reference to IP protocol numbers here:
>http://andrew2.andrew.cmu.edu/rfc/rfc1700.html
>
>But I don't know what uses "NBMA Next Hop Resolution Protocol". Could it be
>some VPN product? or do routers use this? Did you capture a dump of the
>entire packet or just headers?
>
> >-----Original Message-----
> >From: Vincent Sweeney [mailto:v.sweeneyDEXTERUS.COM]
> >Sent: Thursday, April 20, 2000 7:37 PM
> >To: INCIDENTSSECURITYFOCUS.COM
> >Subject: Odd Firewall Entries
> >
> >
> >I have suddenly been receiving a lot of odd looking entries, like the
> >examples pasted below, from a total of 4 IP addresses. Its
> >directed at a
> >very public facing Linux server which receives all the usual
> >port scans and
> >attempted exploits. However this is the 1st time I've seen
> >anything like
> >this (repeated non-standard protocol packets sent to the same
> >server) and
> >was wonder if anyone has seen the like before and / or knows
> >any more info?
> >
> >Thanks,
> > Vince.
> >
> >----
> >
> >Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54
> >137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> >F=0x0000 T=16
> >O=0x00000494 (#17)
> >
> >Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54
> >195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> >F=0x0000 T=22
> >O=0x00000494 (#17)
> >
> >Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54
> >195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> >F=0x0000 T=22
> >O=0x00000494 (#17)
> >

Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: evynckecisco.com Mobile: +32-75-312.458