Firewall Wizards mailing list archives
Re: [FW1] Scary traffic - long
From: roger nebel <roger () homecom com>
Date: Mon, 21 Dec 1998 10:01:08 -0500
just an fyi, f/w-1 logging guesses at the service (tftp in this case) based on the destination port (tftp=69). i'm not aware that tftp ever uses broadcast so i'd say that tftp is a red herring. also, the "tftp" broadcast was a full 5 seconds earlier than the icmp packets in the example. they may not be related at all. Chris Brenton wrote:
Norman Hoy wrote:Over the last few weeks I've had 4 instances of seeing icmp's coming in to various firewalls that I manage. This was to the .255 address (firewall dropped and logged) this was followed by and snmp request on .255 from the same address.Close to what I'm seeing but not quite. The initial packet I see is TFTP, not ICMP or SNMP. What was weird was that this firewall claimed to drop the traffic as well but internal SNMP hosts responded to the request.On each occasion I have followed this up with the originating organisation 2 in USA 1 in .nl and one in .au . The common thread with this from all organisations was that they had just installed castlerock's network management tool. It appears as if this software has a bug in it, when you first install it, the S/W goes out and attempts to "auto discover" your network, in reality it was auto discovering the internet :-(.You mean that's not a "feature". ;) I thought of this (I know some Bay devices try to discover the world as well), but the source of the attacks was too systematic. Also, there had to be some form of trickery in the packets in order to make it past the firewall. That for the help and the heads up! Chris -- ************************************** cbrenton () sover net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529 * Mastering Network Security http://www.amazon.com/exec/obidos/ISBN%3D0782123430/002-0346046-8151850 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
Attachment:
vcard.vcf
Description: Card for Roger Nebel
Current thread:
- Scary traffic - long Chris Brenton (Dec 18)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long roger nebel (Dec 22)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 22)
- Re: [FW1] Scary traffic - long dreamwvr (Dec 23)
- Re: [FW1] Scary traffic - long Hendrik Visage (Dec 23)
- Re: [FW1] Scary traffic - long Chris Brenton (Dec 22)
- Re: [FW1] Scary traffic - long Norman Hoy (Dec 18)
- Re: [FW1] Scary traffic - long cbrenton (Dec 22)