|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Need help understanding "snoop" output
Thanks for the reply. I think your last, unlikely possibility may be right. This is not limited to only one or a few addresses on our network, but appears to be random addresses, thousands of them. Occasionally they will hit an active one, but since 207.88.240.101 (and 207.88.240.105, another address doing the same thing) are both being dropped in victimlan, that is a moot point. At this time, I see only inbound traffic from either of these addresses, and no traffic at all from or to 194.102.91.1, nor from the inactive random addresses. Doing a traceroute to 207.88.240.101 and 207.88.240.105, I do not find 194.102.91.1 in the list of addresses. Doing a traceroute to 194.102.91.1 ends in a router loop. It is also unreachable from another network on which I have an account. I do not believe these packets are in response to anything outbound from my network, not, at least, if I can believe my firewall log. So, if I understand your analysis, the packets do originate with 207.88.240.101 (and 207.88.240.105), not 194.102.91.1. Correct? Thanks again, Chuck Sterling > ---------- > From: Oliver Viitamaki[SMTP:[email protected]] > Sent: Friday, November 03, 2000 8:09 AM > To: Sterling, Chuck > Subject: Re: [FW1] Need help understanding "snoop" output > > > I hadn't seen any replies on the list to your message. So if you > already have the answers you need please disregard and put directly in the > > trash now.... just let me know that you've sorted it out and what > you > found. > > Your traffic analysis here... > > A TCP packet claimed to have been sent from 130.135.177.196 to > 194.102.91.1. That is what is recorded in the second portion of the ICMP > packet. There is not enough information in the second section to discover > what the ports that were being used were, so I cannot guess what someone > may have been trying to get at. The ICMP packet is generated by > 207.88.240.101 claiming that 194.102.91.1 is "Destination unreachable, Bad > > host". This is the reason for this entire packet coming at your Firewall. > It is a return packet from 207.88.240.101 indicating that 207.88.240.101 > is > along the path to 194.102.91.1, probably the last hop router before the > 194.102.91.x subnet, indicating that the host 194.102.91.1 doesn't exist. > > To validate this, I suggest that you see if the traffic is still > occurring, and then look for outgoing packets from your network destined > for 194.102.91.1. You should be able to see them. If you do, then I would > go and find 130.135.177.196, and discover what they are up to. If you do > not see the traffic going out, check to see if it is still coming at you. > If it is, then still go and find 130.135.177.196, and see what they are up > > to, and validate that they are not generating the traffic, again by using > a > sniffer such as snoop. If you then see the traffic leaving that node > 130.135.177.196, but don't see it going out at the Firewall, then there is > > another route out of your network, to the internet..... fun starts now.... > > If you can't find any traffic coming out of 130.135.177.196, and you still > > see it incoming at the Firewall then it is time to consder the next > paragraph... > > Another possibility, although unlikely is that someone is trying > to map your network. This is unlikely as there would not be any return > traffic from your subnet, ICMP traffic of this nature does not generate > ICMP messages, saying it can't get there. So the only reason that someone > would be doing this is to disguise what is really going on, ie; > "Firewalking", figuring out what your Firewall rule set is. > > > ov > > > At 01:42 PM 11/2/00 -0700, you wrote: > > >Hello, > > > >The last few days we've been seeing a lot of more-or-less random ping > >traffic with an apparent source address of 207.88.240.101, as far as the > >FW-1 firewall log shows. Using "snoop" on Solaris 2.6, I captured a few > >packets, an example of which is below. I confess confusion. Note that > >further down in the snoop output in the ICMP header section, an entirely > >different address is listed, 194.102.91.1, with the above address showing > up > >in the IP header only. The address of 130.135.177.196 is on my LAN and is > >the target of the probe. > > > >So, the question I have: Can we tell from this where the packet > originated? > >If 207.88.240.101, it would appear to be from > p10-0.edge1.pal-ca.us.xo.com > >in a network formerly called CONCENTRIC.NET. If 194.102.91.1, then we're > >talking about Bucharest, Romania. I'd really like to know which, if > >possible, but do not know how to interpret the snoop output below. > > > >Also, is there any way to discover this info and/or the "extra" ip > address > >from within FW-1 without resorting to snoop? > > > >Thanks for any help, > >Chuck Sterling > > > >ETHER: ----- Ether Header ----- > >ETHER: > >ETHER: Packet 1 arrived at 12:59:40.27 > >ETHER: Packet size = 70 bytes > >ETHER: Destination = 8:0:20:c0:5f:c6, Sun > >ETHER: Source = 0:10:7b:9e:d3:20, > >ETHER: Ethertype = 0800 (IP) > >ETHER: > >IP: ----- IP Header ----- > >IP: > >IP: Version = 4 > >IP: Header length = 20 bytes > >IP: Type of service = 0x00 > >IP: . .... = 0 (precedence) > >IP: ...0 .... = normal delay > >IP: .... 0... = normal throughput > >IP: .... .0.. = normal reliability > >IP: Total length = 56 bytes > >IP: Identification = 0 > >IP: Flags = 0x0 > >IP: .0.. .... = may fragment > >IP: ..0. .... = last fragment > >IP: Fragment offset = 0 bytes > >IP: Time to live = 248 seconds/hops > >IP: Protocol = 1 (ICMP) > >IP: Header checksum = ceba > >IP: Source address = 207.88.240.101, 207.88.240.101 > >IP: Destination address = 130.135.177.196, 130.135.177.196 > >IP: No options > >IP: > >ICMP: ----- ICMP Header ----- > >ICMP: > >ICMP: Type = 3 (Destination unreachable) > >ICMP: Code = 1 (Bad host) > >ICMP: Checksum = bcf5 > >ICMP: > >ICMP: [ subject header follows ] > >ICMP: > >ICMP:IP: ----- IP Header ----- > >ICMP:IP: > >ICMP:IP: Version = 4 > >ICMP:IP: Header length = 20 bytes > >ICMP:IP: Type of service = 0x00 > >ICMP:IP: . .... = 0 (precedence) > >ICMP:IP: ...0 .... = normal delay > >ICMP:IP: .... 0... = normal throughput > >ICMP:IP: .... .0.. = normal reliability > >ICMP:IP: Total length = 40 bytes > >ICMP:IP: Identification = 28256 > >ICMP:IP: Flags = 0x0 > >ICMP:IP: .0.. .... = may fragment > >ICMP:IP: ..0. .... = last fragment > >ICMP:IP: Fragment offset = 0 bytes > >ICMP:IP: Time to live = 24 seconds/hops > >ICMP:IP: Protocol = 6 (TCP) > >ICMP:IP: Header checksum = e2bc > >ICMP:IP: Source address = 130.135.177.196, 130.135.177.196 > >ICMP:IP: Destination address = 194.102.91.1, 194.102.91.1 > >ICMP:IP: No options > >ICMP:IP: > >IP: > > > > > >========================================================================= > ======= > > To unsubscribe from this mailing list, please see the instructions > at > > http://www.checkpoint.com/services/mailing.html > >========================================================================= > ======= > > > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
