Firewall Wizards mailing list archives
Possible DOS attack?
From: Kelly Sedik <KellyS () groundskeeper com>
Date: Wed, 19 Apr 2000 16:14:04 -0700
I am the administrator of an Alta Vista firewall and I have seen some strange entries in the filter log. I suspect someone was trying to use my firewall to initiate a DOS attack. The following is an excerpt from that log (address 20.1.1.1 is the external address of my firewall and 10.2.2.2 is the address it was trying to send the packet to): Apr 19 14:24:25 firewalker filter[123]: Log: MESSAGE: LOG0006: New Day 14:24:25, on Wednesday April 19, 2000 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1813 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1814 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1815 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1816 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:26 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1817 The red network is the internet and the blue network is my network. This activity lasted only about a minute. It does not appear that the destination address was ever reached. Is this a DOS attack? If so, what, if anything, should I do about it? If you have any questions about this incident please feel free to e-mail me. Thank you. Kel "The telephone has too many shortcomings to be seriously considered as a means of communications. The device is inherently of no value to us." - Western Union internal memo, 1876
Current thread:
- Possible DOS attack? Kelly Sedik (Apr 20)
- <Possible follow-ups>
- Re: Possible DOS attack? Anastasia Soudbinina (Apr 26)