Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Is this a DOS - port 36121

To: "'Jason Witty'" <[email protected]>
Subject: RE: [FW1] Is this a DOS - port 36121
From: Ken Lui <[email protected]>
Date: Wed, 20 Sep 2000 07:52:20 -0600
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Jason,

They are tco connection. The log entries read:
Origin  Action  Service  Src      Dst      Prot. Rule  S_port Info.
f.w.I.P drop    36121    a.b.c.d  f.w.I.P  tcp    4    51564  len 44
daemon  reject  36121    a.b.c.d  f.w.I.P  tcp    0    51564  message
SYNDefender warning: SYN->SYN-ACK->Timeout

It doesn't seems to be the problem with the log viewer. The entries are very
consistence and the patterns are very similar. The key is that what uses
port 36121?

Ken Lui

-----Original Message-----
From: Jason Witty [mailto:[email protected]]
Sent: Tuesday, September 19, 2000 3:22 PM
To: Ken Lui
Subject: Re: [FW1] Is this a DOS - port 36121

What IP protocol shows up in the log viewer for this traffic? TCP? ICMP?
UDP? ???GRE?

Reason I ask is that the log viewer gets goofed up somtimes on non-TCP
related protocols, and falsely reports a "port" for a protocol which has
no "port" definitions. 

Ken Lui wrote:
> 
> Hi all,
> 
> We are running FW1 ver 4.1 and running inbound security servers for SMTP,
> outbound HTTP and FTP. Lately, we have a lot of connection attempts coming
> from internet to the external IP of our firewall using 36121 as service.
In
> the log file, the entries read:
> 
> Action     Service    Src        Dst       Rule   Src port     Info.
> drop        36121     a.b.c.d    f.w.I.P   4        51564        len 44
> reject      36121     a.b.c.d    f.w.I.P   0        51564        message
> SYNDefender warning: SYN->SYN-ACK->Timeout
> 
> This is usually before a SMTP connection to our inbound smtp server.
> 
> I've check the port and it doesn't seems to related to any Trojan. Any
> advice welcome.
> 
> Ken
> 
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] SBFC service specific error 1
Next by Date: RE: [FW1] CCSA & CCSE
Previous by thread: [FW1] Is this a DOS - port 36121
Next by thread: [FW1] session authentication problems with routed networks ?
Index(es):
- Date
- Thread