Firewall Wizards mailing list archives
Re: [FW1] Scary traffic - long
From: Chris Brenton <cbrenton () sover net>
Date: Sun, 20 Dec 1998 19:39:28 -0500
Norman Hoy wrote:
Over the last few weeks I've had 4 instances of seeing icmp's coming in to various firewalls that I manage. This was to the .255 address (firewall dropped and logged) this was followed by and snmp request on .255 from the same address.
Close to what I'm seeing but not quite. The initial packet I see is TFTP, not ICMP or SNMP. What was weird was that this firewall claimed to drop the traffic as well but internal SNMP hosts responded to the request.
On each occasion I have followed this up with the originating organisation 2 in USA 1 in .nl and one in .au . The common thread with this from all organisations was that they had just installed castlerock's network management tool. It appears as if this software has a bug in it, when you first install it, the S/W goes out and attempts to "auto discover" your network, in reality it was auto discovering the internet :-(.
You mean that's not a "feature". ;) I thought of this (I know some Bay devices try to discover the world as well), but the source of the attacks was too systematic. Also, there had to be some form of trickery in the packets in order to make it past the firewall. That for the help and the heads up! Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 * Mastering Network Security http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850
Current thread:
- Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long cbrenton (Dec 22)