Security Incidents mailing list archives
Spammers bypassing Cisco ACL's??
From: "Chris Harrington" <cmh () nmi net>
Date: Thu, 10 Jun 2004 14:01:51 -0400
All, Yesterday a friend called and said he saw about 20 alerts from his ISS Real Secure Sensor. The alerts were TCP_OS_FINGERPRINT alerts and the traffic that was generating these alerts was coming from their Checkpoint firewall, specifically the NAT'ed IP address for incoming email. Further inspection showed that this traffic had source ports of 25 and 32773 and the Fin, Push, Urge and Ack packets set. That combinations of flags set off the ISS sensor. The destinations were all IP's in the APNIC space. Given the combination of ports and destinations this is probably the work of spammers. The customer has a Cisco router filtering all inbound traffic except to ports 80,443,25. So I am not sure why the firewall (which is behind the router) would be responding to traffic from port 32773. Inbound traffic with that destination address should be blocked by the router. I verified this in the config. Then I checked the firewall logs. Sure enough there was inbound traffic to port 32773 being blocked by the firewall. This traffic should not reach the firewall (because of the router) and even if it did I wouldn't think that the firewall would respond with the same flags plus an Ack. The only conclusion I can come up with is that traffic with the FPU flags set is making it past the router. I have not had time to test this. Why the firewall is responding is beyond me. Am I missing something here? Thanks, --Chris
Current thread:
- Simple Windows incident response methodology Lachniet, Mark (Jun 08)
- RE: Simple Windows incident response methodology Security Guy (Jun 09)
- RE: [ok] Simple Windows incident response methodology Curt Purdy (Jun 09)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- Re: Spammers bypassing Cisco ACL's?? Mark Coleman (Jun 10)
- RE: [ok] Simple Windows incident response methodology Harlan Carvey (Jun 14)
- Spammers bypassing Cisco ACL's?? Chris Harrington (Jun 10)
- <Possible follow-ups>
- Re: Simple Windows incident response methodology H Carvey (Jun 08)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 09)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- Re: Simple Windows incident response methodology Steve Barnet (Jun 11)
- Re: Simple Windows incident response methodology Harlan Carvey (Jun 11)
- RE: Simple Windows incident response methodology Mike Lyman (Jun 14)
- RE: Simple Windows incident response methodology Harlan Carvey (Jun 10)
- RE: Simple Windows incident response methodology Lachniet, Mark (Jun 14)
- RE: Simple Windows incident response methodology Brad Webb (Jun 20)