Make that "no ip source-route", sorry...
Jason
Jason Witty wrote:
>
> And don't forget about putting "no ip source route" on all your
> routers. THe point is mute if that's not in place...
>
> Jason
>
> Robert MacDonald wrote:
> >
> > Carl,
> >
> > Are you referring to RFC1918 addresses? Technically
> > these are routable, but _most_ ISP will drop these(this
> > is where most say they are not routable.) But if they
> > originate from the ISP, they can do what they want. What
> > does your ACL's look like for blocking these? Should
> > be something like(fast rip from Sans site w/other IP nets
> > http://www.sans.org/dosstep/cisco_spoof.htm )
> >
> > no access-list 150
> > access-list 150 deny ip 0.0.0.0 0.255.255.255 any
> > access-list 150 deny ip 10.0.0.0 0.255.255.255 any
> > access-list 150 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 150 deny ip 169.254.0.0 0.0.255.255 any
> > access-list 150 deny ip 172.16.0.0 0.15.255.255 any
> > access-list 150 deny ip 192.0.2.0 0.0.0.255 any
> > access-list 150 deny ip 192.168.0.0 0.0.255.255 any
> > access-list 150 deny ip 224.0.0.0 15.255.255.255 any
> > access-list 150 deny ip 240.0.0.0 7.255.255.255 any
> > access-list 150 deny ip 248.0.0.0 7.255.255.255 any
> > access-list 150 deny ip 255.255.255.255 0.0.0.0 any
> > access-list 150 permit ip any any
> >
> > Since Akamai has many of these around the world, they
> > may have struck a deal with the ISP (read, paid $$ to ISP)
> > to place these strategically at ISP sites.
> >
> > The packet was most likely sent with the ACK bit set. This
> > would explain the fw dropping the packet with the message
> > "unknown established tcp packet". Akamai is just prompting
> > for some sort of response, which your fw gladly turned down.
> >
> > Look through your logs. I think you might find that Akamai is
> > using 'known' port numbers(numbers it has seen or a few after
> > them) to attempt to anticipate communications with anything it
> > can find.
> >
> > Robert
> >
> > - -
> > Robert P. MacDonald, Network Engineer
> > e-Business Infrastructure
> > G o r d o n F o o d S e r v i c e
> > Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
> >
> > >>> Carl E. Mankinen <[EMAIL PROTECTED]> 9/26/00 6:22:43 PM >>>
> > >
> > >Okay, I am seeing some strange logs on my FW1 lately.
> > >I punched in the IP into google and found someone else with similar log entries
>and concern posted on
> > >SANS.
> > >(they seem to think it's a LOKI scan or something similar)
> > >
> > >Go to ARIN and lookup 204.178.110.52
> > >You will find this belongs to AKAMAI-TECH.
> > >
> > >Somehow they got past all our null0 routes, all our access lists, and managed to
>have a packet
> > >arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814
>DESTINATION address.
> > >Service 1439, tcp, S_port http
> > >
> > >This same host is scanning my block of addresses and attempting to talk to my
>bastion host on port
> > >10094.
> > >
> > >My firewall is catching all these and dropping them, but I am really concerned
>about seeing RFC1814
> > >addresses
> > >at my outside interface especially when my router is set to block them and they
>aren't routable
> > >ANYWAY...
> > >(however, this Akamai host is on my IAP's network...(coincidence?))
> > >
> > >Is it possible that FW1 did not log the addresses correctly? Perhaps it logged
>the destination after it had
> > >been xlat'd???
> > >There was no nat applied on the log entry and it's a rule 0 (unknown established
>tcp packet)
> >
> > ================================================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ================================================================================
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
