Re: Odd Firewall Entries

[epadin () WAGWEB COM (Ed Padin)]

I believe that MS PPTP (Their sorry excuse for a secure VPN) uses GRE.

> -----Original Message-----
> From: Eric Vyncke [mailto:evyncke () CISCO COM]
> Sent: Wednesday, April 26, 2000 8:09 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Odd Firewall Entries
>
>
> NHRP is indeed a protocol used by routers to find routing
> 'short-cuts' in some NBMA networks.
>
> NBMA network means non broadcast multiple access network like
> X.25 or ATM or GRE.
> Ethernet is a broadcast multiple access (everyone receives the
> traffic),
> NBMA network can send to multiple recipients but one per one over
> a 'circuit' or SVC or tunnel.
>
> Now, NHRP is used when you have defined a X.25 SVC between
> routers A and
> B and defined another X.25 SVC between routers B and C.
> Without NHRP, all
> the traffic going from A to C will transit through B. With NHRP, A will
> 'discover' router C and establish a direct X.25 SVC between A and C.
>
> Getting NHRP from the Internet is quite surprising... May be
> you are using
> GRE tunnels for extranet applications ?
>
> Just my 0.01 EUR of networking
>
> Hope this helps
>
> -eric
>
> At 16:07 24/04/2000 -0400, Ed Padin wrote:
> > Well, I found a reference to IP protocol numbers here:
> > http://andrew2.andrew.cmu.edu/rfc/rfc1700.html
> >
> > But I don't know what uses "NBMA Next Hop Resolution
> Protocol". Could it be
> > some VPN product? or do routers use this? Did you capture a
> dump of the
> > entire packet or just headers?
> >
> > > -----Original Message-----
> > > From: Vincent Sweeney [mailto:v.sweeney () DEXTERUS COM]
> > > Sent: Thursday, April 20, 2000 7:37 PM
> > > To: INCIDENTS () SECURITYFOCUS COM
> > > Subject: Odd Firewall Entries
> > >
> > >
> > > I have suddenly been receiving a lot of odd looking
> entries, like the
> > > examples pasted below, from a total of 4 IP addresses. Its
> > > directed at a
> > > very public facing Linux server which receives all the usual
> > > port scans and
> > > attempted exploits. However this is the 1st time I've seen
> > > anything like
> > > this (repeated non-standard protocol packets sent to the same
> > > server) and
> > > was wonder if anyone has seen the like before and / or knows
> > > any more info?
> > >
> > > Thanks,
> > >    Vince.
> > >
> > > ----
> > >
> > > Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54
> > > 137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> > > F=0x0000 T=16
> > > O=0x00000494 (#17)
> > >
> > > Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54
> > > 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> > > F=0x0000 T=22
> > > O=0x00000494 (#17)
> > >
> > > Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54
> > > 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> > > F=0x0000 T=22
> > > O=0x00000494 (#17)
>
> Eric Vyncke
> Consulting Engineer                Cisco Systems EMEA
> Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
> E-mail: evyncke () cisco com          Mobile: +32-75-312.458