| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] More AKAMAI....
Okay, I am seeing some strange logs on my FW1 lately.
I punched in the IP into google and found someone else with similar log entries and concern posted on SANS.
(they seem to think it's a LOKI scan or something similar)
Go to ARIN and lookup 204.178.110.52
You will find this belongs to AKAMAI-TECH.
Somehow they got past all our null0 routes, all our access lists, and managed to have a packet
arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION address.
Service 1439, tcp, S_port http
This same host is scanning my block of addresses and attempting to talk to my bastion host on port 10094.
My firewall is catching all these and dropping them, but I am really concerned about seeing RFC1814 addresses
at my outside interface especially when my router is set to block them and they aren't routable ANYWAY...
(however, this Akamai host is on my IAP's network...(coincidence?))
Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the destination after it had been xlat'd???
There was no nat applied on the log entry and it's a rule 0 (unknown established tcp packet)
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
