| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?
- To: [email protected]
- Subject: Re: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?
- From: Matteo Masserini <[email protected]>
- Date: Wed, 22 Oct 2003 11:32:50 +0200
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcOX87PuXuNdHS46R3iUmBc5cMWbaQAhFaUA
- Thread-topic: [FW-1] AW: [FW-1] How to disable"local interface address spoofing" logg ing?
We think it might be due to the MSBlast that generates a d.o.s. attack to Windowsupdate site.
We suppose that probably someone set Windowsupdate=127.0.0.1 in the DNS to avoid the d.o.s. to this site and so:
- we have an infected host (207.88..yyy)
- the worm changes the last 2 octets of its address into 207.88.aaa.bbb and generates traffic to Windowsupdate (127.0.0.1:80)
- the infected host receives the packet on its loopback interface (127.0.0.1)
- as probably it is not a web server it sends a RST to 207.88.aaa.bbb
and generates drops on the firewall like the ones you saw yesterday.
Our problem is to remove these logs (we have milions, some hosts generate 200 logs/sec) while our customers remove the worm...
Regards.
matteo
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Crist
Clark
Sent: Tuesday, October 21, 2003 6:23 PM
To: [email protected]
Subject: Re: [FW-1] AW: [FW-1] How to disable"local interface address
spoofing" logg ing?
Jean-Francois Gobin wrote:
>
> Sniff on that network to look at the packets.
>
> What is the source address ? What is the destination address ?
FWIW, saw a ton of 127.0.0.1 sourced IP packets coming in from the
Internet for a few hours yesterday. They all looked something like,
15:19:14.693234 127.0.0.1.80 > 207.88.aaa.bbb.1189: R [tcp sum ok] 0:0(0) ack 1 win 0 (ttl 118, id 5183, len 40)
That is, they all were TCP RST segments from port 80. The destination
port, the destination address, and the acknowledgement number varied
from packet to packet.
What was this? An attack? Seems unlikely. TCP RSTs with a source
address of the loopback... Nothing is ever going to get back to
the sender. Some kind of response to something going on on my network?
Not likely either. The destination addresses were frequently netblocks
with no Internet connectivity. My best guess is some kind of weird
backscatter from a spoofed attack?
Anyway, the point is what the original poster seeing is quite
possibly _real_. It is not a misconfiguration of his system. However,
I am unaware of a way to turn off logging for these packets. This
is a Checkpoint bug. They can be filtered from the log viewer (or
Smart Tracker or whatever marketing changed the name to this month).
> On Tue, 21 Oct 2003, Olaf Lange wrote:
>
> > Matteo Masserini schrieb:
> > > Thank you Dirk,
> > >
> > > we've already:
> > >
> > > - disabled logging in the topology
> > > - disabled logging in the SmartDefence
> > > - set to "false" all the parameters about spoofing in the Objects_5_0.C file
> > >
> > > with no results.
> > >
> > > We then applied Nokia Solution 3463 and the only result was the change from "local interface address spoofing" to "loopback address spoofing".
> > >
> > > Any other suggestion?
> > >
> > > Thanks.
> > > matteo
> > >
> > >
> > I guess your are missing your loopback interface.
> > I am not familiar with Nokia but there mus be a way to create your
> > looback device. On Linux you do it with
> > ifconfig lo inet 127.0.0.1 netmask 255.0.0.0 up
> >
> > Olaf
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> --
> Jean-Francois Gobin - Administrateur gobinjf.be
> http://www.gobinjf.be mailto:[email protected]
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
--
Crist J. Clark [email protected]
Globalstar CommunicationsThe information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.
If the reader of this e-mail is not the intended recipient, or the
employee or agent responsible to deliver it to the intended recipient,
you are hereby notified that any review, dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this e-mail in error, please contact [email protected]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
