Firewall Wizards mailing list archives

Possible DOS attack?

From: Kelly Sedik <KellyS () groundskeeper com>
Date: Wed, 19 Apr 2000 16:14:04 -0700

I am the administrator of an Alta Vista firewall and I have seen some
strange entries in the filter log. I suspect someone was trying to use my
firewall to initiate a DOS attack. The following is an excerpt from that log
(address 20.1.1.1 is the external address of my firewall and 10.2.2.2 is the
address it was trying to send the packet to):
 
Apr 19 14:24:25 firewalker filter[123]: Log: MESSAGE: LOG0006: New Day
14:24:25, on Wednesday April 19, 2000
 
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
 
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1813
 

Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
 
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1814
 

Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
 
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1815
 

Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:25 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
 
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1816
 

Apr 19 14:24:25 firewalker filter[123]: Event: EVENTMSG: event FWF0042
detected from host unknown/0.0.0.0
Apr 19 14:24:26 firewalker filter[123]: Warning: MESSAGE: FWF0042: Port
Unreachable Outgoing To Red, Originally From Blue for TCP
 
SrcAdr: 20.1.1.1, DestAdr: 10.2.2.2, SrcPort: 0080, DestPort: 1817

The red network is the internet and the blue network is my network. This
activity lasted only about a minute. It does not appear that the destination
address was ever reached. 
 
Is this a DOS attack? If so, what, if anything, should I do about it? If you
have any questions about this incident please feel free to e-mail me. Thank
you.
 
Kel
 
"The telephone has too many shortcomings to be seriously considered as a
means of communications. The device is inherently of no value to us." -
Western Union internal memo, 1876

Current thread:

Possible DOS attack? Kelly Sedik (Apr 20)
- <Possible follow-ups>
- Re: Possible DOS attack? Anastasia Soudbinina (Apr 26)