Firewall Wizards mailing list archives
RE: Odd PIX / router behavior
From: "Melson, Paul" <PMelson () sequoianet com>
Date: Mon, 3 Nov 2003 08:59:52 -0500
Unfortunately, I haven't had the opportunity to go on-site and put in place a proper sniffer to determine the nature of the packets. I attempted to do this somewhat using the PIX's 'debug packet' feature, but never saw anything. I am assuming this is because the packets aren't TCP/UDP/ICMP, but are instead a routing protocol such as BGP or EIGRP. But without a packet capture, I can't be sure. I was hoping to see what you're seeing (well, only in that it's easily identifiable), where the apparent source port is 80. The packets you're seeing aren't spoofed, but are a result of MS-Blaster or a variant thereof somewhere behind your firewall. Refer to the link in my initial post. It explains why the traffic appears the way it does on your firewall. PaulM -----Original Message----- Paul, When you saw the original spoofed traffic, what kind of packets were they? One of my customers is seeing similar behaviour on a significant amount of traffic and they are trying to pin it down. The packets we're seeing are Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only The firewall is blocking of course, but the traffic is unusually high. My first thought was a misconfigured internal host too, but sniffing the inside of the firewall show no sessions originating from any of the internal hosts. My second guess is some sort of misconfigured router that we are trying to pin down. We can't confirm this however. My last guess is an external attack which is why I'm wondering if the traffic is similar to what you saw? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Odd PIX / router behavior Melson, Paul (Nov 04)