|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Odd Firewall Entries
From: Ed Padin (epadin
WAGWEB.COM)Date: Thu Apr 27 2000 - 09:36:27 CDT
- Next message: Aleph One: "CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers"
- Previous message: Lance Spitzner: "Re: traffic logging"
- Maybe in reply to: Vincent Sweeney: "Odd Firewall Entries"
- Maybe reply: Ed Padin: "Re: Odd Firewall Entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I believe that MS PPTP (Their sorry excuse for a secure VPN) uses GRE.
>-----Original Message-----
>From: Eric Vyncke [mailto:evynckeCISCO.COM]
>Sent: Wednesday, April 26, 2000 8:09 AM
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Re: Odd Firewall Entries
>
>
>NHRP is indeed a protocol used by routers to find routing
>'short-cuts' in some NBMA networks.
>
>NBMA network means non broadcast multiple access network like
>X.25 or ATM or GRE.
>Ethernet is a broadcast multiple access (everyone receives the
>traffic),
>NBMA network can send to multiple recipients but one per one over
>a 'circuit' or SVC or tunnel.
>
>Now, NHRP is used when you have defined a X.25 SVC between
>routers A and
>B and defined another X.25 SVC between routers B and C.
>Without NHRP, all
>the traffic going from A to C will transit through B. With NHRP, A will
>'discover' router C and establish a direct X.25 SVC between A and C.
>
>Getting NHRP from the Internet is quite surprising... May be
>you are using
>GRE tunnels for extranet applications ?
>
>Just my 0.01 EUR of networking
>
>Hope this helps
>
>-eric
>
>At 16:07 24/04/2000 -0400, Ed Padin wrote:
>>Well, I found a reference to IP protocol numbers here:
>>http://andrew2.andrew.cmu.edu/rfc/rfc1700.html
>>
>>But I don't know what uses "NBMA Next Hop Resolution
>Protocol". Could it be
>>some VPN product? or do routers use this? Did you capture a
>dump of the
>>entire packet or just headers?
>>
>> >-----Original Message-----
>> >From: Vincent Sweeney [mailto:v.sweeneyDEXTERUS.COM]
>> >Sent: Thursday, April 20, 2000 7:37 PM
>> >To: INCIDENTSSECURITYFOCUS.COM
>> >Subject: Odd Firewall Entries
>> >
>> >
>> >I have suddenly been receiving a lot of odd looking
>entries, like the
>> >examples pasted below, from a total of 4 IP addresses. Its
>> >directed at a
>> >very public facing Linux server which receives all the usual
>> >port scans and
>> >attempted exploits. However this is the 1st time I've seen
>> >anything like
>> >this (repeated non-standard protocol packets sent to the same
>> >server) and
>> >was wonder if anyone has seen the like before and / or knows
>> >any more info?
>> >
>> >Thanks,
>> > Vince.
>> >
>> >----
>> >
>> >Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54
>> >137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>> >F=0x0000 T=16
>> >O=0x00000494 (#17)
>> >
>> >Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54
>> >195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>> >F=0x0000 T=22
>> >O=0x00000494 (#17)
>> >
>> >Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54
>> >195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
>> >F=0x0000 T=22
>> >O=0x00000494 (#17)
>> >
>
>Eric Vyncke
>Consulting Engineer Cisco Systems EMEA
>Phone: +32-2-778.4677 Fax: +32-2-778.4300
>E-mail: evynckecisco.com Mobile: +32-75-312.458
>
- Next message: Aleph One: "CERT(r) Advisory CA-2000-03 Continuing Compromises of DNS servers"
- Previous message: Lance Spitzner: "Re: traffic logging"
- Maybe in reply to: Vincent Sweeney: "Odd Firewall Entries"
- Maybe reply: Ed Padin: "Re: Odd Firewall Entries"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]