Security Incidents mailing list archives
Re: Odd Firewall Entries
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Wed, 26 Apr 2000 12:04:32 -0700
Protocol 54 is the Next Hop Resolution Protocol for non-broadcast/multiple-access networks. What this means is that you have an Ethernet switch with broadcasts disabled. How do you ARP in this environment since broadcasts don't work? Well, NHRP takes care of this for you. (Actually, it really is designed for ATM, Frame Relay, CMDS, etc., not Ethernet switching environments; I'm just using that as an example). You should only see these packets across your local segment; they shouldn't be coming in from remote sites. If anybody could send me a sniffer/tcpdump trace of these packets, I'd really appreciate it. Rob. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Ed Padin Sent: Monday, April 24, 2000 1:07 PM To: INCIDENTS () securityfocus com Subject: Re: Odd Firewall Entries Well, I found a reference to IP protocol numbers here: http://andrew2.andrew.cmu.edu/rfc/rfc1700.html But I don't know what uses "NBMA Next Hop Resolution Protocol". Could it be some VPN product? or do routers use this? Did you capture a dump of the entire packet or just headers?
-----Original Message----- From: Vincent Sweeney [mailto:v.sweeney () DEXTERUS COM] Sent: Thursday, April 20, 2000 7:37 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Odd Firewall Entries I have suddenly been receiving a lot of odd looking entries, like the examples pasted below, from a total of 4 IP addresses. Its directed at a very public facing Linux server which receives all the usual port scans and attempted exploits. However this is the 1st time I've seen anything like this (repeated non-standard protocol packets sent to the same server) and was wonder if anyone has seen the like before and / or knows any more info? Thanks, Vince. ---- Apr 19 11:13:47 kernel: Packet log: input DENY eth0 PROTO=54 137.248.121.114:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=16 O=0x00000494 (#17) Apr 19 23:41:45 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17) Apr 19 23:41:55 kernel: Packet log: input DENY eth0 PROTO=54 195.38.228.141:65535 xxx.xxx.xxx.xxx:65535 L=68 S=0x00 I=0 F=0x0000 T=22 O=0x00000494 (#17)
Current thread:
- Odd Firewall Entries Vincent Sweeney (Apr 20)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)
- Re: Odd Firewall Entries Vincent Sweeney (Apr 24)
- <Possible follow-ups>
- Re: Odd Firewall Entries Ed Padin (Apr 24)
- Linuxconf probe Thomas Chiverton (Apr 26)
- Re: Odd Firewall Entries Eric Vyncke (Apr 26)
- traffic logging Jon Burdge (Apr 26)
- Re: traffic logging Lance Spitzner (Apr 27)
- Re: Odd Firewall Entries Robert Graham (Apr 26)
- Re: Odd Firewall Entries Ed Padin (Apr 27)
- Re: Odd Firewall Entries Jens Hektor (Apr 21)