equaad @
indigo .
mit .
edu wrote:
>Hi, I have a question for you firewall gurus about some packets that
>are arriving at my firewall's door. They look like this:
>proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port
>domain-udp len 378 rule 9
>proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port
>domain-udp len 353 rule 9
>proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port
>domain-udp len 371 rule 9
>proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port
>domain-udp len 353 rule 9
>where 555.555.555.555 is an address outside the firewall and
>444.444.444.444 is an address inside. This is using checkpoint
>firewall-1 as a firewall. Notice how the service (which is just the
>destination port number I believe) increments by one each time. What
>kind of application would generate traffic like this?? Or is someone
>sending packets to a bunch of different ports on the system to see
>whether any of those might be running an unusual service that they can
>then use to break in? Any ideas would be helpful. Right now the
>firewall is set up to drop such packets.
>Thanks!
>-Ellen
>equaad @
indigo .
mit .
edu
Hi Ellen
By seeing these lines where the s_port is incremented by one I have to
say that this looks like someone testing SATan against your firewall
machine, because this is exactly what happens when you run Satan against
machines. He's trying every port number by incrementing it by one!!
Hope this helps you
Cheers
Fred
|
|
