|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Correction Re: [fw-wiz] Possible DOS attack?
From: Anastasia Soudbinina (soudbinina
hotmail.com)Date: Thu Apr 27 2000 - 19:48:07 CDT
- Next message: carlbl.echidna.id.au: "Re: [fw-wiz] NAT"
- Previous message: Todd Joseph: "[fw-wiz] Export restrictions Summary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Apologies...
I just realized that I've missed one key point - in my case both addresses
were internal - internal firewall interface and an address from blue
network. Your case is different.
What was the destination address? Can you trace it?
Was somebody of your users trying to reach this address (see wwwaccess.log)?
Again sorry for my mistake.
Anastasia
>Hello, Kelly,
>I experienced this problem before. THe reason why it >lasts only one minute
>is that AWF only logs first 30 >events not to overload the log. And I bet
>it goes orange.
>In your case it caused by sombody going to the Internet >>(PORT 0080).
>In my case it seemed that my mail exchanger was >attacking my firewall
>(port 025)
>As soon as I understand it's not an attack at all. I >know two possible
>reasons why it can happen: - a proxy unexpectedly stops while it's being
>used, in >your case web proxy, and AWF is confused that it >suddenly cannot
>reach the port it's currently using. - there are too many open connections,
>more than allowed >in firewall.conf (default-20). If my MX is trying to
> >open more connection than it's allowed, firewall >considers it to be a
>port scan.
>And - just a wild guess - AWF 98 behaves very strange >with lack of RAM. It
>feels quite comfortable with not >less than 128 Mb.
>What I suggest is that you reboot the machine when you >see this strange
>port scan from inside, or change the >status and restart all the proxies.
>Otherwise it can go >orange again very soon. Then set activemax=50 in
> >firewall.config. At least it helped me , I don't see >this thing happen
>for quite a while already.
From: Kelly Sedik <KellySgroundskeeper.com>
Reply-To: Kelly Sedik <KellySgroundskeeper.com>
To: firewall-wizardsnfr.net
Subject: [fw-wiz] Possible DOS attack?
Date: Wed, 19 Apr 2000 16:14:04 -0700
I am the administrator of an Alta Vista firewall and I have seen some
strange entries in the filter log. I suspect someone was trying to use my
firewall to initiate a DOS attack. The following is an excerpt from that log
(address 20.1.1.1 is the external address of my firewall and 10.2.2.2 is the
address it was trying to send the packet to):
Apr 19 14:24:25 firewalker filter[123]: Log: MESSAGE: LOG0006: New Day
14:24:25, on Wednesday April 19, 2000
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1813
Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1814
Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1815
Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1816
Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:26 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1817
The red network is the internet and the blue network is my network. This
activity lasted only about a minute. It does not appear that the destination
address was ever reached.
Is this a DOS attack? If so, what, if anything, should I do about it? If you
have any questions about this incident please feel free to e-mail me. Thank
you.
Kel
"The telephone has too many shortcomings to be seriously considered as a
means of communications. The device is inherently of no value to us." -
Western Union internal memo, 1876
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
- Next message: carlbl.echidna.id.au: "Re: [fw-wiz] NAT"
- Previous message: Todd Joseph: "[fw-wiz] Export restrictions Summary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]