Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- ICMP flood from inside firewall
February 1, 2006, 7:21 pm
rate this thread
Here is my environment:
Watchguard X700 Firewall
| | |
| | |
x.x.1.1 (A) Vina 200 eLINK x.x.1.0 Netopia 5300r
| NPN | T1
x.x.2.1 (B) Vina 200 eLINK Netopia 5300r (B) x.x.3.1
~120 computers, plus servers; three Dell PowerConnect 2624 switches and
one PowerConnect 2716.
My firewall shows this:
01/27/06 14:05 firewalld: deny out eth1 40 tcp 20 29
184.108.40.206 220.127.116.11 2745 4631 rst ack (spoofed source address)
We have connected a hub between the switch and the firewall and used
Ethereal to sniff traffic. The source and target IPs change almost
randomly. Some are IPs that are from my subnet, and some are more like
you see from the example above.
The only common thread between all of the packets is the spoofed MAC
The source MAC is from DEC equipment. I don't believe any of our
devices use DEC technology or should show up as a DEC MAC.
I'm open for debate on that subject.
We THINK we have narrowed it down to the x.x.1.0 location, but I'm not
In any case, it is a significant amount of traffic, and at times pegs
the (A) Netopia at 99% CPU, when the (B) Netopia is around 27%.
It has been suggested that there may be someone playing with nmap or
other tools, but my users are not technologically adept.
We are a not-for-profit serving the needs of abused women and children,
so our users are not what I could call savvy at all. Toss them an IP
address, and they'll probably pick up the phone and dial it. I don't
believe it is anyone playing with nmap or any other tool.
We have researched this thoroughly and have found some posts on Usenet
groups, but no information as to the resolution. Most of the
discussions degenerated into waxing ecstatic about DEC equipment or a
discussion about using the term VAXen. :P
If I'm trying to track down a spoofed MAC address from, say, a trojan,
am I stuck with connecting to every PC, NIC to NIC via crossover cable
and ethereal to sniff packets?
Any information would be greatly appreciated.
Re: ICMP flood from inside firewall
OK - the drawing is murder to try to read, but I take it that the three
networks only meet in the Watchguard. Where are the PowerConnect switches
I think I agree
That fits the location A scenario. Is there any pattern to when this
OK - the only other explanation would be the the boxes are owned, and
this might show up on the nmap scan as unusual ports open.
As mentioned in my reply on alt.comp.networking.firewalls, the crossover
cable probably isn't the right tool. You need to 'eavesdrop' on the
wire as the unknown box is spewing. Depending where the switches are
located, these might allow you to isolate it down further, as the
switches only carry traffic between the ports used for source and
destination - rather than pumping it out on all ports as a hub does.
- » IE7 Beta 2 Vulnerability Discovered in just 15 minutes!
- — Next thread in » General Computer Security
- » Unusual destination traffic on ports (34631,35514,34763,34867......
- — Previous thread in » General Computer Security
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — The site's Newest Thread. Posted in » Secure Shell Forum