From owner-freebsd-security Fri Jun 29 9:25:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 9D77A37B407 for ; Fri, 29 Jun 2001 09:24:58 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 5712 invoked by uid 1000); 29 Jun 2001 16:29:25 -0000 Date: Fri, 29 Jun 2001 19:29:25 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: What is ipfw telling me ? Message-ID: <20010629192925.F535@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Fri, Jun 29, 2001 at 11:16:52AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 29, 2001 at 11:16:52AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > I do not agree. Here's why: > > the ipfw is on 10.0.0.2 and does not have a web server. > 10.0.0.1 does. > > I see a lot of these style attacks, various ports, various services used on > 10.0.0.1, always proxying to another machine. That is ipfw is on 10.0.0.2 > and the signature of the log is: > > attacker:port 10.0.0.1:port > > It makes me think that somehow a proxy attack is going on. > > The 10.x.x.x are not the actual addresses obviously. Look. The ipfw logs (as you could easily test yourself) list the source and destination addresses of a TCP or UDP packet as saddr:sport daddr:dport. The log line you pasted clearly means that there was a TCP packet from 216.blah port 21602 (clearly ephemeral) to 10.0.0.1 port 80. Somebody is trying to reach port 80 on 10.0.0.1. If 10.0.0.1 is not directly reachable, then this might very well be a packet translated by a NAT (a.k.a masquerading in the Linux world) gateway. It might be a proxy attack, but this depends on the structure of your network. All the log says is that 216.blah is trying to connect to the webserver on 10.0.0.1, and that's a fact. G'luck, Peter -- This sentence claims to be an Epimenides paradox, but it is lying. > Peter > Pentchev To: George.Giles@mcmail.vanderbilt.edu > .bg> Subject: Re: What is ipfw telling me ? > > 06/29/2001 > 10:04 AM > > > > > > On Fri, Jun 29, 2001 at 09:49:54AM -0500, > George.Giles@mcmail.vanderbilt.edu wrote: > > What is ipfw telling me ? > > > > The 216 host is attempting to break in, but how is it using port 80 on > the > > other machine ? > > > > ipfw: 2400 Deny TCP 216.239.46.20:21602 10.0.0.1:80 in via xl0 > > The host 216.239.46.20 is trying to connect to 10.0.0.1; the connection > attempt is from port 21602 (ephemeral, unique to this connection in > a certain timeframe) to port 80 on 10.0.0.1. That is, someone from > 216.239.46.20 is trying to browse the web on 10.0.0.1. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message