Date: Wed, 21 Feb 2001 22:53:17 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Michael Richards <michael@fastmail.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd firewall messages Message-ID: <20010221225317.A89396@rfx-216-196-73-168.users.reflex> In-Reply-To: <3A947A0B.000099.29931@frodo.searchcanada.ca>; from michael@fastmail.ca on Wed, Feb 21, 2001 at 09:31:39PM -0500 References: <3A947A0B.000099.29931@frodo.searchcanada.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 21, 2001 at 09:31:39PM -0500, Michael Richards wrote: [snip] > Now I seem to be getting a number of weird packets presumably probing > my machine for various open ports: > > 21/02/2001 04:51:05.250782 2x xl1 @0:6 b 10.0.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 04:51:05.357334 xl1 @0:4 b 192.168.0.1,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:04.033088 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:05.529631 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:08:07.033451 xl1 @0:4 b 192.168.1.20,137 -> x.x.x.x,137 > PR udp len 20 19968 IN > 21/02/2001 05:30:15.651130 xl1 @0:1 b 205.188.246.17,46666 -> > x.x.x.x,25 PR tcp len 20 7168 - IN > 21/02/2001 06:05:22.220902 xl1 @0:6 b 10.23.32.72,39666 -> x.x.x.x,25 > PR tcp len 20 10240 -A IN > > I haven't figured out what the last 2 log entries are or do only > because I haven't read into the docs far enough yet. > > The thing I find curious is the first set of packets. These are > coming from RFC reserved IP addresses. Why on earth would I probe you > using a return address of 10.0.0.1 because I probably won't ever get > a response. Before the firewall was plugged in (it had a bypass > during setup and testing) I presume that the response for these > packets were just fired back and filtered out somewhere. Since rule > #2 and #3 do not seem to be firing I assume they are not source > routed so as to have the return source pass through the attacking > machine. > > Anyone have any wisdom when it comes to decoding what I'm seeing here? That is the NetBIOS garbage that WinXX machines chatter with. You redacted the destination IPs, were they broadcast addresses? Those are NetBIOS name resolution packets. They could be hostile, but by far the most probable scenario is someone with a misconfigured network is leaking them. You would not happen to be living off of a public broadcast domain? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010221225317.A89396>