On Wed, 18 Apr 2001 10:06:13 -0400 Curley Mr Eric P <CurleyEPat_private> wrote: > I have been receiving some very weird traffic on my Firewall within the last > two days that are coming from non-routable IP's reserved by IANA. They did > not get through the Firewall but I do not understand the intent behind it. > Could it be a scan for reconnaissance purposes. Is it a type of > OS-fingerprinting. Here are the logs below: > Hi Eric, One possibility that occurs to me is that this *might* be mangled traffic from a legit smtp session where the traffic has been mangled by a NAT gw. i.e. machine on your net contacts mail.somewhere.xxx which happens to be on a network where NAT is in use. For some reason the the gateway stuffs up and some of the traffic coming back does not get its adderss properly translated, so you see traffic coming from port 25 to a high numbered port in your net which your firewall then blocks. We run argus here and I thus have a complete log of all traffic on our DMZ. I have seen this sort of thing on several ocasions and been able to find the original sessions from the local address and port number. One thing that mitigates against this is that you appear to be getting this from more than one source. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:34:24 PDT