Firewall Wizards mailing list archives
Re: Possible DOS attack?
From: "Anastasia Soudbinina" <soudbinina () hotmail com>
Date: Fri, 21 Apr 2000 12:16:34 MSD
Hello, Kelly,I experienced this problem before. THe reason why it lasts only one minute is that AWF only logs first 30 events not to overload the log. And I bet it goes orange.
In your case it caused by sombody going to the Internet (PORT 0080).In my case it seemed that my mail exchanger was attacking my firewall (port 025) As soon as I understand it's not an attack at all. I know two possible reasons why it can happen: - a proxy unexpectedly stops while it's being used, in your case web proxy, and AWF is confused that it suddenly cannot reach the port it's currently using. - there are too many open connections, more than allowed in firewall.conf (default-20). If my MX is trying to open more connection than it's allowed, firewall considers it to be a port scan. And - just a wild guess - AWF 98 behaves very strange with lack of RAM. It feels quite comfortable with not less than 128 Mb.
What I suggest is that you reboot the machine when you see this strange port scan from inside, or change the status and restart all the proxies. Otherwise it can go orange again very soon. Then set activemax=50 in firewall.config. At least it helped me , I don't see this thing happen for quite a while already.
From: Kelly Sedik <KellyS () groundskeeper com> Reply-To: Kelly Sedik <KellyS () groundskeeper com> To: firewall-wizards () nfr net Subject: [fw-wiz] Possible DOS attack? Date: Wed, 19 Apr 2000 16:14:04 -0700 I am the administrator of an Alta Vista firewall and I have seen some strange entries in the filter log. I suspect someone was trying to use my firewall to initiate a DOS attack. The following is an excerpt from that log (address 20.1.1.1 is the external address of my firewall and 10.2.2.2 is the address it was trying to send the packet to): Apr 19 14:24:25 firewalker filter[123]: Log: MESSAGE: LOG0006: New Day 14:24:25, on Wednesday April 19, 2000 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1813 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1814 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1815 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1816 Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042 detected from host unknown/0.0.0.0 Apr 19 14:24:26 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port Unreachable Outgoing To Red, Originally From Blue for TCP SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1817 The red network is the internet and the blue network is my network. This activity lasted only about a minute. It does not appear that the destination address was ever reached. Is this a DOS attack? If so, what, if anything, should I do about it? If you have any questions about this incident please feel free to e-mail me. Thank you. Kel "The telephone has too many shortcomings to be seriously considered as a means of communications. The device is inherently of no value to us." - Western Union internal memo, 1876 ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Possible DOS attack? Kelly Sedik (Apr 20)
- <Possible follow-ups>
- Re: Possible DOS attack? Anastasia Soudbinina (Apr 26)