[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] tcp-echo reply question

To: fw-1-mailinglist@lists.us.checkpoint.com
Subject: [FW1] tcp-echo reply question
From: Tige Richardson <trichard@evolving.com>
Date: Tue, 5 Oct 1999 13:42:12 -0600 (MDT)
Reply-To: Tige Richardson <trichard@evolving.com>
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com

Hi,

Perhaps someone on this list can help me...For the past few months I have been 
experiencing the following output from one of our firewall logs...what 
specifically is echo-tcp and why is it banging against our firewall?  Queries to 
the intruding domain have gone unanswered...the echo-tcp request is hammering an 
external ftp server in our DMZ that is directly attached to our firewall-1 
server. 

Any advice or experience with this service and how to stop this would be 
appreciated...For security reasons, I have truncated the destination IP address 
in the logs below.

Thanks,

trichard

---

******************************************************************************
WARNING - POSSIBLE TCP SCAN/ATTACK FROM 204.253.104.12, 16 denys of type 
echo-tcp.
HOSTNAME- uuny450adgda1.doubleclick.net
******************************************************************************

   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57639	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57640	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57641	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57646	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57647	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57658	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.12	dst	.162	s_port	57659	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40319	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40320	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40321	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40322	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40347	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40351	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40363	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40368	service	
echo-tcp rule 28
   1 11:53:24 src 204.253.104.12	dst	.162	s_port	40373	service	
echo-tcp rule 28

******************************************************************************
NAT Output
******************************************************************************

[*]--- Checking host: 204.253.104.12
[*]--- Obtaining list of remote NetBIOS names

******************************************************************************
Finger Short Output
******************************************************************************

[uuny450adgda1.doubleclick.net]

******************************************************************************
Finger Long Output
******************************************************************************

[uuny450adgda1.doubleclick.net]


******************************************************************************
WARNING - POSSIBLE TCP SCAN/ATTACK FROM 209.67.38.49, 13 denys of type echo-tcp.
HOSTNAME- unknown.doubleclick.net
******************************************************************************

   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38519	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38520	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38521	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38522	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38523	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38524	service	echo-tcp 
rule 28
   1 11:50:15 src 209.67.38.49	dst	.162	s_port	38525	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55016	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55017	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55018	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55019	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55020	service	echo-tcp 
rule 28
   1 11:53:24 src 209.67.38.49	dst	.162	s_port	55021	service	echo-tcp 
rule 28

******************************************************************************
NAT Output
******************************************************************************

[*]--- Checking host: 209.67.38.49
[*]--- Obtaining list of remote NetBIOS names

******************************************************************************
Finger Short Output
******************************************************************************

[unknown.doubleclick.net]

******************************************************************************
Finger Long Output
******************************************************************************

[unknown.doubleclick.net]


******************************************************************************
WARNING - POSSIBLE TCP SCAN/ATTACK FROM 204.253.104.139, 11 denys of type 
echo-tcp.
HOSTNAME- uuny450adgda2.doubleclick.net
******************************************************************************

   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36280	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36281	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36282	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36283	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36284	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36286	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36287	service	
echo-tcp rule 28
   1 11:50:15 src 204.253.104.139	dst	.162	s_port	36288	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.139	dst	.162	s_port	36285	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.139	dst	.162	s_port	36677	service	
echo-tcp rule 28
   1 11:50:17 src 204.253.104.139	dst	.162	s_port	36678	service	
echo-tcp rule 28

******************************************************************************
NAT Output
******************************************************************************

[*]--- Checking host: 204.253.104.139
[*]--- Obtaining list of remote NetBIOS names

******************************************************************************
Finger Short Output
******************************************************************************

[uuny450adgda2.doubleclick.net]

******************************************************************************
Finger Long Output
******************************************************************************

[uuny450adgda2.doubleclick.net]




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Follow-Ups:
- Re: [FW1] tcp-echo reply question
  - From: Joe Matusiewicz <joem@nist.gov>
Prev by Date: RE: [FW1] Netmasks on different NIC's
Next by Date: [FW1] FTPing log files
Prev by thread: Re: [FW1] NT to Oracle odbc connection
Next by thread: Re: [FW1] tcp-echo reply question
Index(es):
- Date
- Thread