Firewall Wizards mailing list archives
snmp scans
From: Gerhard Mezger <gerhard.mezger () bluewin ch>
Date: Mon, 07 Jun 1999 23:30:00 +0200
in the last time we saw several snmp-scans towards part of our network with source addresses out of the range of a foreign dial-up service provider. It looks like these scans were run from an automatic tool, especially because the source port is always the same (1026). It seems that all requests get dropped at the external interface of the firewall. Today we noticed a strange entry in our logfile: The network was scanned from the same address/source-port as before (in declining order), the last dropped snmp message of this scan however was destined to the limited broadcast address: 255.255.255.255. It is my understanding that routers are not allowed to forward the limited broadcast address. Given this, I do not understand how this packet appears on the external segment of our firewall which is only shared by the firewall and a router providing access to the Internet. We checked the config, escpecially the ACLs of this router and everything looks fine. Has anybody seen this before or an idea how this could happen? thanks
Current thread:
- snmp scans Gerhard Mezger (Jun 14)