What ports (source and destination) is this traffic on? Are you running NT DNS Server? Liam. > ---------- > From: David Watson > Sent: 14 July 2000 00:17 > To: [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: Unusual IP traffic - advice wanted on source and risk > > Hi, > > I have a FW-1 installation that has started showing up unusual traffic > being dropped on rule 0 on the internal LAN interface. Snooping from > the > Solaris FW-1 server on the internal NIC I see: > > 21.20.217.199 -> 0.244.0.0 IP D=0.244.0.0 S=21.20.217.199 LEN=28, > ID=0 > 105.20.100.248 -> 49.213.0.0 IP D=49.213.0.0 S=105.20.100.248 > LEN=48, ID=0 > 107.20.214.112 -> 190.92.0.0 IP D=190.92.0.0 S=107.20.214.112 > LEN=48, ID=0 > 107.20.213.112 -> 191.92.0.0 IP D=191.92.0.0 S=107.20.213.112 > LEN=48, ID=0 > 110.20.168.165 -> 233.39.0.0 IP D=233.39.0.0 S=110.20.168.165 > LEN=48, ID=0 > 110.20.56.165 -> 89.40.0.0 IP D=89.40.0.0 S=110.20.56.165 LEN=48, > ID=0 > 115.20.32.18 -> 12.91.0.0 IP D=12.91.0.0 S=115.20.32.18 LEN=52, > ID=0 > 116.20.178.3 -> 3.125.0.0 IP D=3.125.0.0 S=116.20.178.3 LEN=52, > ID=0 > 116.20.177.3 -> 4.125.0.0 IP D=4.125.0.0 S=116.20.177.3 LEN=52, > ID=0 > 119.20.88.212 -> 79.129.0.0 IP D=79.129.0.0 S=119.20.88.212 LEN=52, > ID=0 > 45.20.216.241 -> 87.24.0.0 IP D=87.24.0.0 S=45.20.216.241 LEN=32, > ID=0 > 241.20.162.103 -> 234.204.0.0 IP D=234.204.0.0 S=241.20.162.103 > LEN=84, ID=0 > 241.20.212.187 -> 184.120.0.0 IP D=184.120.0.0 S=241.20.212.187 > LEN=84, ID=0 > 236.20.43.101 -> 174.75.0.0 IP D=174.75.0.0 S=236.20.43.101 LEN=80, > ID=0 > 236.20.43.100 -> 186.81.0.0 IP D=186.81.0.0 S=236.20.43.100 LEN=80, > ID=0 > 45.20.233.58 -> 141.10.0.0 IP D=141.10.0.0 S=45.20.233.58 LEN=32, > ID=0 > 241.20.174.135 -> 222.172.0.0 IP D=222.172.0.0 S=241.20.174.135 > LEN=84, ID=0 > 241.20.158.174 -> 238.133.0.0 IP D=238.133.0.0 S=241.20.158.174 > LEN=84, ID=0 > 17.20.116.69 -> 10.122.0.0 IP D=10.122.0.0 S=17.20.116.69 LEN=28, > ID=0 > > Source IP addresses don`t appear to repeat themselves and destination > addresses are all /16 type network addresses. Note that the 2nd octet > of > the source address always appears to be .20. All these ranges appear > to be > IANA reserved blocks and are unroutable. > > I`ve tried looking from a number of internal servers (private address > space > + NAT for certain Internet services) and they can all see this > traffic, > about one packet every 3-5 seconds (but fairly random in delay between > packets). The traffic is not visible on the external FW-1 interface at > all > (it appears to originate internally and is dropped) and our external > ISS > RealSecure IDS box is not reporting anything unusual. > > Snoop output from one internal host: > > 110.20.177.138 -> 224.66.0.0 IP D=224.66.0.0 S=110.20.177.138 > LEN=48, ID=0 > 116.20.191.6 -> 224.119.0.0 IP D=224.119.0.0 S=116.20.191.6 LEN=52, > ID=0 > 115.20.122.229 -> 224.118.0.0 IP D=224.118.0.0 S=115.20.122.229 > LEN=52, ID=0 > 111.20.175.231 -> 224.229.0.0 IP D=224.229.0.0 S=111.20.175.231 > LEN=48, ID=0 > 115.20.100.62 -> 224.103.0.0 IP D=224.103.0.0 S=115.20.100.62 > LEN=52, ID=0 > 116.20.241.50 -> 224.107.0.0 IP D=224.107.0.0 S=116.20.241.50 > LEN=52, ID=0 > 119.20.4.221 -> 224.99.0.0 IP D=224.99.0.0 S=119.20.4.221 LEN=52, > ID=0 > 115.20.70.253 -> 224.101.0.0 IP D=224.101.0.0 S=115.20.70.253 > LEN=52, ID=0 > 111.20.176.143 -> 224.61.0.0 IP D=224.61.0.0 S=111.20.176.143 > LEN=48, ID=0 > 109.20.178.177 -> 224.27.0.0 IP D=224.27.0.0 S=109.20.178.177 > LEN=48, ID=0 > 116.20.241.47 -> 224.110.0.0 IP D=224.110.0.0 S=116.20.241.47 > LEN=52, ID=0 > 111.20.176.141 -> 224.63.0.0 IP D=224.63.0.0 S=111.20.176.141 > LEN=48, ID=0 > 105.20.181.236 -> 224.224.0.0 IP D=224.224.0.0 S=105.20.181.236 > LEN=48, ID=0 > 114.20.106.115 -> 224.188.0.0 IP D=224.188.0.0 S=114.20.106.115 > LEN=52, ID=0 > > The IP address range for source and destination appear to be much more > limited when viewed from a local host rather than the FW-1 internal > NIC. > The FW-1 internal NIC has a higher rate of this traffic and appears to > be a > larger superset of the traffic observable from a single internal host > alone. > > If anyone can explain this mystery traffic I would be grateful. Also, > opinions on whether this is a potential security breach would be good > too. > I`ve searched ISS XForce, RootShell and various alert listings, plus > the > FW-1 archive etc and can`t find an explanation. It doesn`t appear to > be DOS > based and i`m unsure of how if could be produced accidentally from an > internal host. > > Thanks in advance, > > David > -- > David Watson Voice: UK 01904 438000 > Technical Manager Fax: UK 01904 435199 > Infocom UK Ltd E-Mail: [EMAIL PROTECTED] > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
