Date: Wed, 13 Feb 2002 15:08:00 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Jim Conner <jconner@enterit.com> Cc: James Green <james@stealthnet.co.uk>, freebsd-questions@freebsd.org Subject: Re: Am I being hacked?! Strange connection attempts Message-ID: <20020213130759.GD22168@hades.hell.gr> In-Reply-To: <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com> References: <20020212170133.3bf6d5c9.johann@broadpark.no> <5.1.0.14.0.20020213011306.0340ce68@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-02-13 01:22, Jim Conner wrote:
>
> Ok. Yup, James, you are right. 10.* is a private IP address
> block. Therefore, the fact that there is a connect attempt on port 1433
> from a real IP address to an internal address could be hoakie if...*if*
> J.S. is NOT forwarding the ports or has this machine in his DMZ or
> something. If he has it blocked, however (or not in the DMZ) then this, to
> me, looks like someone is port-scanning and they are taking advantage of
> J.S.'s stateless firewall. They are probably using a a syn+ack scan or
> something. This kind of scan, IIRC, is capable of fooling the firewall
> into thinking that the inside host made a request to the outside world and
> therefore the fw happily passes the packets along.
Which should not be allowed, since packets coming from an IP address that
does not match one of the addresses of an interface should be dropped dead
on the floor :)
Giorgos Keramidas FreeBSD Documentation Project
keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020213130759.GD22168>