Firewalls: suspicious packets in firewall logs??

Firewalls
(June 1996)

Indexed By Thread: [Previous] [Next]

Subject:	suspicious packets in firewall logs??
From:	equaad @ indigo . mit . edu
Date:	Tue, 23 Apr 96 16:14:14 -0400
To:	firewalls @ greatcircle . com

Hi, I have a question for you firewall gurus about some packets that
are arriving at my firewall's door. They look like this:  

proto udp src 555.555.555.555 dst 444.444.444.444 service 1064 s_port
domain-udp len 378 rule 9 

proto udp src 555.555.555.555 dst 444.444.444.444 service 1065 s_port
domain-udp len 353 rule 9 

proto udp src 555.555.555.555 dst 444.444.444.444 service 1066 s_port
domain-udp len 371 rule 9 

proto udp src 555.555.555.555 dst 444.444.444.444 service 1067 s_port
domain-udp len 353 rule 9 


where 555.555.555.555 is an address outside the firewall and
444.444.444.444 is an address inside. This is using checkpoint
firewall-1 as a firewall. Notice how the service (which is just the
destination port number I believe) increments by one each time. What
kind of application would generate traffic like this?? Or is someone
sending packets to a bunch of different ports on the system to see
whether any of those might be running an unusual service that they can
then use to break in? Any ideas would be helpful. Right now the
firewall is set up to drop such packets.          

Thanks!

-Ellen

equaad @
 indigo .
 mit .
 edu

Follow-Ups:

Re: suspicious packets in firewall logs??
From: girsch @ marben . com (Arnaud Girsch)

Indexed By Date	Previous:	location of public hosts From: Chris <chris @ fishcons . demon . co . uk>
Indexed By Date	Next:	[no subject] From: "Bob Madderra" <madderra @ Emss . Com>
Indexed By Thread	Previous:	RE: location of public hosts From: Russ <Russ @ RC . Toronto . on . ca>
Indexed By Thread	Next:	Re: suspicious packets in firewall logs?? From: girsch @ marben . com (Arnaud Girsch)