[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] ATTACK! - source and service port the same, dest=firewall, sourcechanges
> I got a series of repeated hits, about every 20 seconds, originating from
> one network (3 hosts in sequence), port 18756 first, then others, all going
> to our ext. interface of the firewall. Odd thing is, the source port
> increments by one with each successive packet. Now, all along, he's getting
> dropped - but he kept going from port 1050 to 1483. Anyone have any
> comments on this?
First, sequential increasing of the source port is normal. When you
make sequential connections to a server, (such as web browsing), TCP
increments the source port with every connection. This is normal
behavior. The fact that these connections are happening to your FW
interface leads me to believe you are running NAT in Hide mode. What is
most likely happening is your internal clients are initiating outbound
traffic. The servers are responding with their own connections (ident,
etc). When the servers are responding with their own connections, their
destination is the IP on your FW (the same as the source for your
clients using NAT Hide). This is most likely not a scan or attack
attempt. For more info on determining scans and such, check out
http://www.enteract.com/~lspitz/enemy.html.
Hope that helps :)
--
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================