Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] More AKAMAI....

To: Robert MacDonald <[email protected]>, [email protected], [email protected]
Subject: Re: [FW1] More AKAMAI....
From: Jason Witty <[email protected]>
Date: Fri, 29 Sep 2000 09:45:46 -0500
References: <[email protected]> <[email protected]>
Sender: [email protected]

Make that "no ip source-route", sorry...

Jason

Jason Witty wrote:
> 
> And don't forget about putting "no ip source route" on all your
> routers.  THe point is mute if that's not in place...
> 
> Jason
> 
> Robert MacDonald wrote:
> >
> > Carl,
> >
> > Are you referring to RFC1918 addresses? Technically
> > these are routable, but _most_ ISP will drop these(this
> > is where most say they are not routable.) But if they
> > originate from the ISP, they can do what they want. What
> > does your ACL's look like for blocking these? Should
> > be something like(fast rip from Sans site w/other IP nets
> > http://www.sans.org/dosstep/cisco_spoof.htm )
> >
> > no access-list 150
> > access-list 150 deny ip 0.0.0.0          0.255.255.255   any
> > access-list 150 deny ip 10.0.0.0         0.255.255.255   any
> > access-list 150 deny ip 127.0.0.0        0.255.255.255   any
> > access-list 150 deny ip 169.254.0.0      0.0.255.255     any
> > access-list 150 deny ip 172.16.0.0       0.15.255.255    any
> > access-list 150 deny ip 192.0.2.0        0.0.0.255       any
> > access-list 150 deny ip 192.168.0.0      0.0.255.255     any
> > access-list 150 deny ip 224.0.0.0        15.255.255.255  any
> > access-list 150 deny ip 240.0.0.0        7.255.255.255   any
> > access-list 150 deny ip 248.0.0.0        7.255.255.255   any
> > access-list 150 deny ip 255.255.255.255  0.0.0.0         any
> > access-list 150 permit ip any any
> >
> > Since Akamai has many of these around the world, they
> > may have struck a deal with the ISP (read, paid $$ to ISP)
> > to place these strategically at ISP sites.
> >
> > The packet was most likely sent with the ACK bit set. This
> > would explain the fw dropping the packet with the message
> > "unknown established tcp packet". Akamai is just prompting
> > for some sort of response, which your fw gladly turned down.
> >
> > Look through your logs. I think you might find that Akamai is
> > using 'known' port numbers(numbers it has seen or a few after
> > them) to attempt to anticipate communications with anything it
> > can find.
> >
> > Robert
> >
> > - -
> > Robert P. MacDonald, Network Engineer
> > e-Business Infrastructure
> > G o r d o n   F o o d    S e r v i c e
> > Voice:email: [email protected]
> >
> > >>> Carl E. Mankinen <[email protected]> 9/26/00 6:22:43 PM >>>
> > >
> > >Okay, I am seeing some strange logs on my FW1 lately.
> > >I punched in the IP into google and found someone else with similar log entries and concern posted on
> > >SANS.
> > >(they seem to think it's a LOKI scan or something similar)
> > >
> > >Go to ARIN and lookup 204.178.110.52
> > >You will find this belongs to AKAMAI-TECH.
> > >
> > >Somehow they got past all our null0 routes, all our access lists, and managed to have a packet
> > >arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION address.
> > >Service 1439, tcp, S_port http
> > >
> > >This same host is scanning my block of addresses and attempting to talk to my bastion host on port
> > >10094.
> > >
> > >My firewall is catching all these and dropping them, but I am really concerned about seeing RFC1814
> > >addresses
> > >at my outside interface especially when my router is set to block them and they aren't routable
> > >ANYWAY...
> > >(however, this Akamai host is on my IAP's network...(coincidence?))
> > >
> > >Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the destination after it had
> > >been xlat'd???
> > >There was no nat applied on the log entry and it's a rule 0 (unknown established tcp packet)
> >
> > ================================================================================
> >      To unsubscribe from this mailing list, please see the instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ================================================================================
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- Re: [FW1] More AKAMAI....
  - From: "Robert MacDonald" <[email protected]>
- Re: [FW1] More AKAMAI....
  - From: Jason Witty <[email protected]>

Prev by Date: RE: [FW1] Redundant web servers
Next by Date: [FW1] test
Previous by thread: Re: [FW1] More AKAMAI....
Next by thread: [FW1] Does SecuRemote work under Windows ME ?
Index(es):
- Date
- Thread