From owner-freebsd-security  Fri Jun 29  9:17:52 2001
Delivered-To: freebsd-security@freebsd.org
Received: from MCSMTP2.MC.VANDERBILT.EDU (mcsmtp2.mc.Vanderbilt.Edu [160.129.93.208])
	by hub.freebsd.org (Postfix) with ESMTP id 09C3137B409
	for <freebsd-security@freebsd.org>; Fri, 29 Jun 2001 09:17:45 -0700 (PDT)
	(envelope-from George.Giles@mcmail.vanderbilt.edu)
Subject: Re: What is ipfw telling me ?
To: Peter Pentchev <roam@orbitel.bg>
Cc: freebsd-security@freebsd.org
X-Mailer: Lotus Notes Release 5.0.3  March 21, 2000
Message-ID: <OF643DAAFD.B532A7E3-ON86256A7A.00591863@MC.VANDERBILT.EDU>
From: George.Giles@mcmail.vanderbilt.edu
Date: Fri, 29 Jun 2001 11:16:52 -0500
X-MIMETrack: Serialize by Router on MCSMTP2.MC.vanderbilt.edu/VUMC/Vanderbilt(Release 5.0.6a
 |January 17, 2001) at 06/29/2001 11:12:05 AM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I do not agree. Here's why:

      the ipfw is on 10.0.0.2 and does not have a web server.
     10.0.0.1 does.

I see a lot of these style attacks, various ports, various services used on
10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2
and the signature of the log is:

     attacker:port 10.0.0.1:port

It makes me think that somehow a proxy attack is going on.

The 10.x.x.x are not the actual addresses obviously.

George



                                                                                                                   
                    Peter                                                                                          
                    Pentchev             To:     George.Giles@mcmail.vanderbilt.edu                                
                    <roam@orbitel        cc:     freebsd-security@freebsd.org                                      
                    .bg>                 Subject:     Re: What is ipfw telling me ?                                
                                                                                                                   
                    06/29/2001                                                                                     
                    10:04 AM                                                                                       
                                                                                                                   
                                                                                                                   



On Fri, Jun 29, 2001 at 09:49:54AM -0500,
George.Giles@mcmail.vanderbilt.edu wrote:
> What is ipfw telling me ?
>
> The 216 host is attempting to break in, but how is it using port 80 on
the
> other machine ?
>
>  ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0

The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection
attempt is from port 21602 (ephemeral, unique to this connection in
a certain timeframe) to port 80 on 10.0.0.1.  That is, someone from
216.239.46.20 is trying to browse the web on 10.0.0.1.

G'luck,
Peter

--
This sentence claims to be an Epimenides paradox, but it is lying.





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message