Firewall Wizards mailing list archives
Re: Fw: Update on 1720/1863 (was: Re: OT? New compromise.)
From: dlang () diginsite com
Date: Sat, 7 Apr 2007 17:28:50 -0700 (PDT)
this actually sounds very similar to what would typically happen with a proxy firewall, where the proxy would accept the connection (sending the ack) and then attempt to connect to the server on the other side (possibly several steps later in the exchange, if the proxy does checking to see if the request appears to be legit before bothering the host) the fundamental lesson should be "don't try to scan through a firewall" you don't know what the firewall could be doing that could bollox your scan. David Lang On Wed, 4 Apr 2007, Jim Seymour wrote:
Date: Wed, 4 Apr 2007 15:54:57 -0400 (EDT) From: Jim Seymour <jseymour () linxnet com> Reply-To: firewall-wizards () listserv icsalabs com To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] Fw: Update on 1720/1863 (was: Re: OT? New compromise.) Mystery solved. Jim ----- Begin Included Message ----- Date: Wed, 4 Apr 2007 14:13:33 -0400 From: Ereshkigal Subject: Update on 1720/1863 Again, permission to cross-post granted. Hopefully, it will get cross-posted to wherever it got cross-posted initially so that those who have been fretting will be able to relax a bit. It looks like this is actually not malicious, although it is, in my opinion, Very Bad Form. It appears that there is a helper feature on some of the firewalls that "a top 5 firewall vendor" produces that causes the firewall to send an ACK to any probe that crosses the firewall on ports 1720 and 1863 back to the originating host. This is enabled by default. As far as I know so far, it's only on one type of firewall by this vendor. Basically, any and all connections attempts that we sent out to 1720 and 1863 that crossed this firewall returned an ACK. If we tried to connect to the port on the IP, the firewall itself would accept the connection. Yesterday, we stumbled on the fact that the firewall would even take connections for IPs with no active hosts.From the information that we've been able to get, this was discoveredthis last week. The responses that we (and several others) were seeing to 1720 and 1863 were actually outbound connection attempts from our own hosts to the destination hosts that were intercepted and returned by the firewall, giving the impression of running services on the systems from anyone behind this particular type of firewall anywhere in the route with the helper enabled. I have heard of a few reports of people using IPTables and Netfilter seeing this, too, but need to confirm that this particular firewall isn't somewhere along the route between the two systems. ----- End Included Message ----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Fw: Update on 1720/1863 (was: Re: OT? New compromise.) Jim Seymour (Apr 05)
- Re: Fw: Update on 1720/1863 (was: Re: OT? New compromise.) dlang (Apr 09)
- Re: Fw: Update on 1720/1863 (was: Re: OT? New compromise.) R. DuFresne (Apr 17)
- Re: Fw: Update on 1720/1863 (was: Re: OT? New compromise.) Jim Seymour (Apr 17)