Re: Odd Firewall Entries

[epadin () WAGWEB COM (Ed Padin)]

Well, I found a reference to IP protocol numbers here:
http://andrew2.andrew.cmu.edu/rfc/rfc1700.html

But I don't know what uses "NBMA Next Hop Resolution Protocol". Could it be
some VPN product? or do routers use this? Did you capture a dump of the
entire packet or just headers?

> -----Original Message-----
> From: Vincent Sweeney [mailto:v.sweeney () DEXTERUS COM]
> Sent: Thursday, April 20, 2000 7:37 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Odd Firewall Entries
>
>
> I have suddenly been receiving a lot of odd looking entries, like the
> examples pasted below, from a total of 4 IP addresses. Its
> directed at a
> very public facing Linux server which receives all the usual
> port scans and
> attempted exploits. However this is the 1st time I've seen
> anything like
> this (repeated non-standard protocol packets sent to the same
> server) and
> was wonder if anyone has seen the like before and / or knows
> any more info?
>
> Thanks,
>    Vince.
>
> ----
>
> Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54
> 137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> F=0x0000 T=16
> O=0x00000494 (#17)
>
> Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54
> 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> F=0x0000 T=22
> O=0x00000494 (#17)
>
> Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54
> 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0
> F=0x0000 T=22
> O=0x00000494 (#17)