Firewall Wizards mailing list archives
RE: Odd PIX / router behavior
From: Paul Robertson <proberts () patriot net>
Date: Fri, 31 Oct 2003 17:10:21 -0500 (EST)
On Fri, 31 Oct 2003 lordchariot () earthlink net wrote:
Paul,
[The other Paul answers...]
When you saw the original spoofed traffic, what kind of packets were they? One of my customers is seeing similar behaviour on a significant amount of traffic and they are trying to pin it down. The packets we're seeing are Src: 127.0.0.1:80 Dst: X.X.X.X:<ephemeral> ACK flag only The firewall is blocking of course, but the traffic is unusually high. My first thought was a misconfigured internal host too, but sniffing the inside of the firewall show no sessions originating from any of the internal hosts. My second guess is some sort of misconfigured router that we are trying to pin down. We can't confirm this however. My last guess is an external attack which is why I'm wondering if the traffic is similar to what you saw?
This is a worm artificat. Nachi if I recall correctly. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Odd PIX / router behavior Melson, Paul (Oct 30)
- <Possible follow-ups>
- RE: Odd PIX / router behavior Claussen, Ken (Oct 30)
- RE: Odd PIX / router behavior Melson, Paul (Oct 31)
- RE: Odd PIX / router behavior lordchariot (Oct 31)
- RE: Odd PIX / router behavior Paul Robertson (Oct 31)
- RE: Odd PIX / router behavior lordchariot (Oct 31)