Spammers bypassing Cisco ACL's??

["Chris Harrington" <cmh () nmi net>]

All,

Yesterday a friend called and said he saw about 20 alerts from his ISS Real
Secure Sensor. The alerts were TCP_OS_FINGERPRINT alerts and the traffic
that was generating these alerts was coming from their Checkpoint firewall,
specifically the NAT'ed IP address for incoming email. Further inspection
showed that this traffic had source ports of 25 and 32773 and the Fin, Push,
Urge and Ack packets set. That combinations of flags set off the ISS sensor.
The destinations were all IP's in the APNIC space. Given the combination of
ports and destinations this is probably the work of spammers.

The customer has a Cisco router filtering all inbound traffic except to
ports 80,443,25. So I am not sure why the firewall (which is behind the
router) would be responding to traffic from port 32773. Inbound traffic with
that destination address should be blocked by the router. I verified this in
the config. Then I checked the firewall logs. Sure enough there was inbound
traffic to port 32773 being blocked by the firewall. This traffic should not
reach the firewall (because of the router) and even if it did I wouldn't
think that the firewall would respond with the same flags plus an Ack. The
only conclusion I can come up with is that traffic with the FPU flags set is
making it past the router. I have not had time to test this. Why the
firewall is responding is beyond me.

Am I missing something here?

Thanks,

--Chris