More firewall weirdness -- apparent spoof attempt

David Wolfskill david at catwhisker.org
Wed Jan 28 05:04:55 PST 2004 

I'm rather behind on mail, so if this has been brought up, I apologixe.

But in yesterday's packet-filter log, I saw a couple instantiations
of something I don't recall having seen previously.  I've taken steps
to block (& log) such things earlier in the rule set, because I see no
possible useful purpose for the pattern in question.

Here are the raw log entries (long lines; sorry):

Jan 27 08:46:20 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1026 in via dc0
Jan 27 08:46:20 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1027 in via dc0
...
Jan 27 22:17:11 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1026 in via dc0
Jan 27 22:17:11 janus /kernel: ipfw: 60000 Deny UDP 62.193.123.122:666 63.193.123.122:1027 in via dc0

[For those unfamiliar with FreeBSD's ipfw log format, the source IP:port
is on the left; the destination IP:port is on the right.  The "60000" is
the rule number that cause dthe logging to take place; "Deny" is what
happened to the packet.  The stuff toward the far right indicates which
NIC was involved and the direction the packet was going when it got to
that NIC.]

Now, the IP address of the packet filter's Internet-facing NIC is
62.193.123.122, and the NIC's designation is dc0.  Rule 60000 is
my catch-all "log & drop" rule.  So the good news is that these
things were dropped (& logged) anyway.

But this is fairly clearly a "this shouldn't happen" situation, unless
I'm missing a fairly valuable clue (in which case, I'd appreciate
the clue).

So now my new first rule says "packets inbound from dc0 that claim
to be from my external IP address get logged & dropped immediately."

I'm sending this out for a couple of reasons:
* to be clued in if I'm missing something;

* to let my colleagues know about this particular form of traffic,
  which looks to me to be a probe, if not an attack that is intended
  to be low-level enough to stay "under the radar".

Peace (anyway),
david
-- 
David H. Wolfskill				david at catwhisker.org
I do not "unsubscribe" from email "services" to which I have not explicitly
subscribed.  Rather, I block spammers' access to SMTP servers I control,
and encourage others who are in a position to do so to do likewise.

More information about the Baylisa mailing list