The other day we had something very strange happen:
We are a small ISP, with 32 dialup customers and about 40 inside machines
on an ethernet. Our pipe to the internet has a Cisco 2501 on it.
The Cisco is configured to block EVERYTHING coming into our machien
except pcnfs,www,nntp,pop3,smtp,dns,ftp. ALL of the R-Commands are disabled
as well. Yet, in the logs there was somethign to the effect of:
2 LOGIN FAILURES from big10.metrobbs.com
How is this possbile? How could they have accessed login? This error
message was NOT an ftp error message. Also we did NOT have source
routing disabled on the 2501 at the time, however, if they were pulling
that crap I don't think it would have shown them coming from metrobbs.com.
NOTE: I am NOT talking about "netjam.net". The domain I am talking about
it "softdisk.com". Our router is link.softdisk.com, and our server that
had the login failures was server1.softdisk.com.
Any ideas? Someone mentioned before something about this possibly being
an ip fragment attack or something.
-------------------------------------------------------------------------
Brian Feeny http://www.netjam.net signal @
netjam .
net
NetJAM Communications Network Consulting (318) 798-9324
UNIX -- Internetworking -- Security -- Programming -- Troubleshooting
PGP Key: finger signal @
netjam .
net
Follow-Ups:
|
|
