[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] More AKAMAI....
Carl, Are you referring to RFC1918 addresses? Technically these are routable, but _most_ ISP will drop these(this is where most say they are not routable.) But if they originate from the ISP, they can do what they want. What does your ACL's look like for blocking these? Should be something like(fast rip from Sans site w/other IP nets http://www.sans.org/dosstep/cisco_spoof.htm ) no access-list 150 access-list 150 deny ip 0.0.0.0 0.255.255.255 any access-list 150 deny ip 10.0.0.0 0.255.255.255 any access-list 150 deny ip 127.0.0.0 0.255.255.255 any access-list 150 deny ip 169.254.0.0 0.0.255.255 any access-list 150 deny ip 172.16.0.0 0.15.255.255 any access-list 150 deny ip 192.0.2.0 0.0.0.255 any access-list 150 deny ip 192.168.0.0 0.0.255.255 any access-list 150 deny ip 224.0.0.0 15.255.255.255 any access-list 150 deny ip 240.0.0.0 7.255.255.255 any access-list 150 deny ip 248.0.0.0 7.255.255.255 any access-list 150 deny ip 255.255.255.255 0.0.0.0 any access-list 150 permit ip any any Since Akamai has many of these around the world, they may have struck a deal with the ISP (read, paid $$ to ISP) to place these strategically at ISP sites. The packet was most likely sent with the ACK bit set. This would explain the fw dropping the packet with the message "unknown established tcp packet". Akamai is just prompting for some sort of response, which your fw gladly turned down. Look through your logs. I think you might find that Akamai is using 'known' port numbers(numbers it has seen or a few after them) to attempt to anticipate communications with anything it can find. Robert - - Robert P. MacDonald, Network Engineer e-Business Infrastructure G o r d o n F o o d S e r v i c e Voice:email: [email protected] >>> Carl E. Mankinen <[email protected]> 9/26/00 6:22:43 PM >>> > >Okay, I am seeing some strange logs on my FW1 lately. >I punched in the IP into google and found someone else with similar log entries and concern posted on >SANS. >(they seem to think it's a LOKI scan or something similar) > >Go to ARIN and lookup 204.178.110.52 >You will find this belongs to AKAMAI-TECH. > >Somehow they got past all our null0 routes, all our access lists, and managed to have a packet >arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION address. >Service 1439, tcp, S_port http > >This same host is scanning my block of addresses and attempting to talk to my bastion host on port >10094. > >My firewall is catching all these and dropping them, but I am really concerned about seeing RFC1814 >addresses >at my outside interface especially when my router is set to block them and they aren't routable >ANYWAY... >(however, this Akamai host is on my IAP's network...(coincidence?)) > >Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the destination after it had >been xlat'd??? >There was no nat applied on the log entry and it's a rule 0 (unknown established tcp packet) ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|