[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] More AKAMAI....
And don't forget about putting "no ip source route" on all your routers. THe point is mute if that's not in place... Jason Robert MacDonald wrote: > > Carl, > > Are you referring to RFC1918 addresses? Technically > these are routable, but _most_ ISP will drop these(this > is where most say they are not routable.) But if they > originate from the ISP, they can do what they want. What > does your ACL's look like for blocking these? Should > be something like(fast rip from Sans site w/other IP nets > http://www.sans.org/dosstep/cisco_spoof.htm ) > > no access-list 150 > access-list 150 deny ip 0.0.0.0 0.255.255.255 any > access-list 150 deny ip 10.0.0.0 0.255.255.255 any > access-list 150 deny ip 127.0.0.0 0.255.255.255 any > access-list 150 deny ip 169.254.0.0 0.0.255.255 any > access-list 150 deny ip 172.16.0.0 0.15.255.255 any > access-list 150 deny ip 192.0.2.0 0.0.0.255 any > access-list 150 deny ip 192.168.0.0 0.0.255.255 any > access-list 150 deny ip 224.0.0.0 15.255.255.255 any > access-list 150 deny ip 240.0.0.0 7.255.255.255 any > access-list 150 deny ip 248.0.0.0 7.255.255.255 any > access-list 150 deny ip 255.255.255.255 0.0.0.0 any > access-list 150 permit ip any any > > Since Akamai has many of these around the world, they > may have struck a deal with the ISP (read, paid $$ to ISP) > to place these strategically at ISP sites. > > The packet was most likely sent with the ACK bit set. This > would explain the fw dropping the packet with the message > "unknown established tcp packet". Akamai is just prompting > for some sort of response, which your fw gladly turned down. > > Look through your logs. I think you might find that Akamai is > using 'known' port numbers(numbers it has seen or a few after > them) to attempt to anticipate communications with anything it > can find. > > Robert > > - - > Robert P. MacDonald, Network Engineer > e-Business Infrastructure > G o r d o n F o o d S e r v i c e > Voice:email: [email protected] > > >>> Carl E. Mankinen <[email protected]> 9/26/00 6:22:43 PM >>> > > > >Okay, I am seeing some strange logs on my FW1 lately. > >I punched in the IP into google and found someone else with similar log entries and concern posted on > >SANS. > >(they seem to think it's a LOKI scan or something similar) > > > >Go to ARIN and lookup 204.178.110.52 > >You will find this belongs to AKAMAI-TECH. > > > >Somehow they got past all our null0 routes, all our access lists, and managed to have a packet > >arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION address. > >Service 1439, tcp, S_port http > > > >This same host is scanning my block of addresses and attempting to talk to my bastion host on port > >10094. > > > >My firewall is catching all these and dropping them, but I am really concerned about seeing RFC1814 > >addresses > >at my outside interface especially when my router is set to block them and they aren't routable > >ANYWAY... > >(however, this Akamai host is on my IAP's network...(coincidence?)) > > > >Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the destination after it had > >been xlat'd??? > >There was no nat applied on the log entry and it's a rule 0 (unknown established tcp packet) > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|