Hi,
I have a FW-1 installation that has started showing up unusual traffic
being dropped on rule 0 on the internal LAN interface. Snooping from the
Solaris FW-1 server on the internal NIC I see:
21.20.217.199 -> 0.244.0.0 IP D=0.244.0.0 S=21.20.217.199 LEN=28, ID=0
105.20.100.248 -> 49.213.0.0 IP D=49.213.0.0 S=105.20.100.248 LEN=48, ID=0
107.20.214.112 -> 190.92.0.0 IP D=190.92.0.0 S=107.20.214.112 LEN=48, ID=0
107.20.213.112 -> 191.92.0.0 IP D=191.92.0.0 S=107.20.213.112 LEN=48, ID=0
110.20.168.165 -> 233.39.0.0 IP D=233.39.0.0 S=110.20.168.165 LEN=48, ID=0
110.20.56.165 -> 89.40.0.0 IP D=89.40.0.0 S=110.20.56.165 LEN=48, ID=0
115.20.32.18 -> 12.91.0.0 IP D=12.91.0.0 S=115.20.32.18 LEN=52, ID=0
116.20.178.3 -> 3.125.0.0 IP D=3.125.0.0 S=116.20.178.3 LEN=52, ID=0
116.20.177.3 -> 4.125.0.0 IP D=4.125.0.0 S=116.20.177.3 LEN=52, ID=0
119.20.88.212 -> 79.129.0.0 IP D=79.129.0.0 S=119.20.88.212 LEN=52, ID=0
45.20.216.241 -> 87.24.0.0 IP D=87.24.0.0 S=45.20.216.241 LEN=32, ID=0
241.20.162.103 -> 234.204.0.0 IP D=234.204.0.0 S=241.20.162.103 LEN=84, ID=0
241.20.212.187 -> 184.120.0.0 IP D=184.120.0.0 S=241.20.212.187 LEN=84, ID=0
236.20.43.101 -> 174.75.0.0 IP D=174.75.0.0 S=236.20.43.101 LEN=80, ID=0
236.20.43.100 -> 186.81.0.0 IP D=186.81.0.0 S=236.20.43.100 LEN=80, ID=0
45.20.233.58 -> 141.10.0.0 IP D=141.10.0.0 S=45.20.233.58 LEN=32, ID=0
241.20.174.135 -> 222.172.0.0 IP D=222.172.0.0 S=241.20.174.135 LEN=84, ID=0
241.20.158.174 -> 238.133.0.0 IP D=238.133.0.0 S=241.20.158.174 LEN=84, ID=0
17.20.116.69 -> 10.122.0.0 IP D=10.122.0.0 S=17.20.116.69 LEN=28, ID=0
Source IP addresses don`t appear to repeat themselves and destination
addresses are all /16 type network addresses. Note that the 2nd octet of
the source address always appears to be .20. All these ranges appear to be
IANA reserved blocks and are unroutable.
I`ve tried looking from a number of internal servers (private address space
+ NAT for certain Internet services) and they can all see this traffic,
about one packet every 3-5 seconds (but fairly random in delay between
packets). The traffic is not visible on the external FW-1 interface at all
(it appears to originate internally and is dropped) and our external ISS
RealSecure IDS box is not reporting anything unusual.
Snoop output from one internal host:
110.20.177.138 -> 224.66.0.0 IP D=224.66.0.0 S=110.20.177.138 LEN=48, ID=0
116.20.191.6 -> 224.119.0.0 IP D=224.119.0.0 S=116.20.191.6 LEN=52, ID=0
115.20.122.229 -> 224.118.0.0 IP D=224.118.0.0 S=115.20.122.229 LEN=52, ID=0
111.20.175.231 -> 224.229.0.0 IP D=224.229.0.0 S=111.20.175.231 LEN=48, ID=0
115.20.100.62 -> 224.103.0.0 IP D=224.103.0.0 S=115.20.100.62 LEN=52, ID=0
116.20.241.50 -> 224.107.0.0 IP D=224.107.0.0 S=116.20.241.50 LEN=52, ID=0
119.20.4.221 -> 224.99.0.0 IP D=224.99.0.0 S=119.20.4.221 LEN=52, ID=0
115.20.70.253 -> 224.101.0.0 IP D=224.101.0.0 S=115.20.70.253 LEN=52, ID=0
111.20.176.143 -> 224.61.0.0 IP D=224.61.0.0 S=111.20.176.143 LEN=48, ID=0
109.20.178.177 -> 224.27.0.0 IP D=224.27.0.0 S=109.20.178.177 LEN=48, ID=0
116.20.241.47 -> 224.110.0.0 IP D=224.110.0.0 S=116.20.241.47 LEN=52, ID=0
111.20.176.141 -> 224.63.0.0 IP D=224.63.0.0 S=111.20.176.141 LEN=48, ID=0
105.20.181.236 -> 224.224.0.0 IP D=224.224.0.0 S=105.20.181.236 LEN=48, ID=0
114.20.106.115 -> 224.188.0.0 IP D=224.188.0.0 S=114.20.106.115 LEN=52, ID=0
The IP address range for source and destination appear to be much more
limited when viewed from a local host rather than the FW-1 internal NIC.
The FW-1 internal NIC has a higher rate of this traffic and appears to be a
larger superset of the traffic observable from a single internal host alone.
If anyone can explain this mystery traffic I would be grateful. Also,
opinions on whether this is a potential security breach would be good too.
I`ve searched ISS XForce, RootShell and various alert listings, plus the
FW-1 archive etc and can`t find an explanation. It doesn`t appear to be DOS
based and i`m unsure of how if could be produced accidentally from an
internal host.
Thanks in advance,
David
--
David Watson Voice: UK 01904 438000
Technical Manager Fax: UK 01904 435199
Infocom UK Ltd E-Mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
