Firewall Wizards mailing list archives
Re: [FW1] Scary traffic - long
From: Hendrik Visage <hendrik () sdn co za>
Date: Mon, 21 Dec 1998 17:14:58 +0200
AFAIK: Unfortunately, tftp DO have a broadcast "option", but it should be only in LAN context, it sends out the broadcast, and then all the tftpservers will check if they have the requested file, and then reply if they DO have the file. tftp is also "dangerous" in the sense that it's UDP, send out to a port, and the server sends out via another port. Not all that easy to have a stateful inspection code for tftp, and FW-1 doesn't handle it as "nicely" as "standard" ftp :(( roger nebel wrote:
just an fyi, f/w-1 logging guesses at the service (tftp in this case) based on the destination port (tftp=69). i'm not aware that tftp ever uses broadcast so i'd say that tftp is a red herring. also, the "tftp" broadcast was a full 5 seconds earlier than the icmp packets in the example. they may not be related at all. Chris Brenton wrote:Norman Hoy wrote:Over the last few weeks I've had 4 instances of seeing icmp's coming in to various firewalls that I manage. This was to the .255 address (firewall dropped and logged) this was followed by and snmp request on .255 from the same address.Close to what I'm seeing but not quite. The initial packet I see is TFTP, not ICMP or SNMP. What was weird was that this firewall claimed to drop the traffic as well but internal SNMP hosts responded to the request.On each occasion I have followed this up with the originating organisation 2 in USA 1 in .nl and one in .au . The common thread with this from all organisations was that they had just installed castlerock's network management tool. It appears as if this software has a bug in it, when you first install it, the S/W goes out and attempts to "auto discover" your network, in reality it was auto discovering the internet :-(.You mean that's not a "feature". ;) I thought of this (I know some Bay devices try to discover the world as well), but the source of the attacks was too systematic. Also, there had to be some form of trickery in the packets in order to make it past the firewall. That for the help and the heads up! Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 * Mastering Network Security http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
Current thread:
- Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long cbrenton (Dec 22)