Security Incidents mailing list archives
Re: Odd Firewall Entries
From: epadin () WAGWEB COM (Ed Padin)
Date: Thu, 27 Apr 2000 10:36:27 -0400
I believe that MS PPTP (Their sorry excuse for a secure VPN) uses GRE.
-----Original Message----- From: Eric Vyncke [mailto:evyncke () CISCO COM] Sent: Wednesday, April 26, 2000 8:09 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Odd Firewall Entries NHRP is indeed a protocol used by routers to find routing 'short-cuts' in some NBMA networks. NBMA network means non broadcast multiple access network like X.25 or ATM or GRE. Ethernet is a broadcast multiple access (everyone receives the traffic), NBMA network can send to multiple recipients but one per one over a 'circuit' or SVC or tunnel. Now, NHRP is used when you have defined a X.25 SVC between routers A and B and defined another X.25 SVC between routers B and C. Without NHRP, all the traffic going from A to C will transit through B. With NHRP, A will 'discover' router C and establish a direct X.25 SVC between A and C. Getting NHRP from the Internet is quite surprising... May be you are using GRE tunnels for extranet applications ? Just my 0.01 EUR of networking Hope this helps -eric At 16:07 24/04/2000 -0400, Ed Padin wrote:Well, I found a reference to IP protocol numbers here: http://andrew2.andrew.cmu.edu/rfc/rfc1700.html But I don't know what uses "NBMA Next Hop ResolutionProtocol". Could it besome VPN product? or do routers use this? Did you capture adump of theentire packet or just headers?-----Original Message----- From: Vincent Sweeney [mailto:v.sweeney () DEXTERUS COM] Sent: Thursday, April 20, 2000 7:37 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Odd Firewall Entries I have suddenly been receiving a lot of odd lookingentries, like theexamples pasted below, from a total of 4 IP addresses. Its directed at a very public facing Linux server which receives all the usual port scans and attempted exploits. However this is the 1st time I've seen anything like this (repeated non-standard protocol packets sent to the same server) and was wonder if anyone has seen the like before and / or knows any more info? Thanks, Vince. ---- Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54 137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=16 O=0x00000494 (#17) Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17) Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17)Eric Vyncke Consulting Engineer Cisco Systems EMEA Phone: +32-2-778.4677 Fax: +32-2-778.4300 E-mail: evyncke () cisco com Mobile: +32-75-312.458
Current thread:
- Odd Firewall Entries Vincent Sweeney (Apr 20)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)
- Re: Odd Firewall Entries Vincent Sweeney (Apr 24)
- <Possible follow-ups>
- Re: Odd Firewall Entries Ed Padin (Apr 24)
- Linuxconf probe Thomas Chiverton (Apr 26)
- Re: Odd Firewall Entries Eric Vyncke (Apr 26)
- traffic logging Jon Burdge (Apr 26)
- Re: traffic logging Lance Spitzner (Apr 27)
- Re: Odd Firewall Entries Robert Graham (Apr 26)
- Re: Odd Firewall Entries Ed Padin (Apr 27)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)