Re: Possible DOS attack?

["Anastasia Soudbinina" <soudbinina () hotmail com>]

Hello, Kelly,
I experienced this problem before. THe reason why it lasts only one minute 
is that AWF only logs first 30 events not to overload the log. And I bet it 
goes orange.
In your case it caused by sombody going to the Internet (PORT 0080).
In my case it seemed that my mail exchanger was attacking my firewall (port 
025)
As soon as I understand it's not an attack at all. I know two possible 
reasons why it can happen:
- a proxy unexpectedly stops while it's being used, in your case web proxy, 
and AWF is confused that it suddenly cannot reach the port it's currently 
using.
- there are too many open connections, more than allowed in firewall.conf 
(default-20). If my MX is trying to open more connection than it's allowed, 
firewall considers it to be a port scan.
And - just a wild guess - AWF 98 behaves very strange with lack of RAM. It 
feels quite comfortable with not less than 128 Mb.

What I suggest is that you reboot the machine when you see this strange port 
scan from inside, or change the status and restart all the proxies. 
Otherwise it can go orange again very soon. Then set activemax=50 in 
firewall.config. At least it helped me , I don't see this thing happen for 
quite a while already.

From: Kelly Sedik <KellyS () groundskeeper com>
Reply-To: Kelly Sedik <KellyS () groundskeeper com>
To: firewall-wizards () nfr net
Subject: [fw-wiz] Possible DOS attack?
Date: Wed, 19 Apr 2000 16:14:04 -0700

I am the administrator of an Alta Vista firewall and I have seen some
strange entries in the filter log. I suspect someone was trying to use my
firewall to initiate a DOS attack. The following is an excerpt from that log
(address 20.1.1.1 is the external address of my firewall and 10.2.2.2 is the
address it was trying to send the packet to):

Apr 19 14:24:25 firewalker filter[123]: Log: MESSAGE: LOG0006: New Day
14:24:25, on Wednesday April 19, 2000

Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP

SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1813


Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP

SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1814


Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP

SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1815


Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP

SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1816


Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:26 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP

SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1817

The red network is the internet and the blue network is my network. This
activity lasted only about a minute. It does not appear that the destination
address was ever reached.

Is this a DOS attack? If so, what, if anything, should I do about it? If you
have any questions about this incident please feel free to e-mail me. Thank
you.

Kel

"The telephone has too many shortcomings to be seriously considered as a
means of communications. The device is inherently of no value to us." -
Western Union internal memo, 1876


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com