Netscreen 5XT SSH Traffic

[Ben Blakely <blakely () krellinst org>]

Hello List,

 I'm the admin for a small network that uses a NetScreen 5XT firewall 
as the border access control device.   Just like everyone else, we get a 
pretty constant stream of SSH login attempts to our full range of IPs.  
This doesn't concern us too much as our root logins are disabled and we 
enforce strong passwords.  However, several days ago we started seeing 
SSH (v2, port 22) login attempts to machines that the firewall should 
not be allowing SSH traffic to in the first place.  Unfortunately this 
happened overnight and our log vault machine was experiencing unrelated 
problems. Due to this I wasn't able to capture any of the traffic for 
closer dissection.  The only conclusion we were able to reach here was 
that perhaps there is a state table poisoning bug in the NetScreen code 
that tricked the firewall into thinking the traffic had originated as 
egress.  Is this a reasonable conclusion?  To be honest that seems like 
a bit of a reach, does anyone else have any experience with similar 
incidents or any possible explanations?  I'll happy to clarify anything 
I can with the data I have, thanks for your time everyone.

/ben Blakely