[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] More AKAMAI....
Make that "no ip source-route", sorry... Jason Jason Witty wrote: > > And don't forget about putting "no ip source route" on all your > routers. THe point is mute if that's not in place... > > Jason > > Robert MacDonald wrote: > > > > Carl, > > > > Are you referring to RFC1918 addresses? Technically > > these are routable, but _most_ ISP will drop these(this > > is where most say they are not routable.) But if they > > originate from the ISP, they can do what they want. What > > does your ACL's look like for blocking these? Should > > be something like(fast rip from Sans site w/other IP nets > > http://www.sans.org/dosstep/cisco_spoof.htm ) > > > > no access-list 150 > > access-list 150 deny ip 0.0.0.0 0.255.255.255 any > > access-list 150 deny ip 10.0.0.0 0.255.255.255 any > > access-list 150 deny ip 127.0.0.0 0.255.255.255 any > > access-list 150 deny ip 169.254.0.0 0.0.255.255 any > > access-list 150 deny ip 172.16.0.0 0.15.255.255 any > > access-list 150 deny ip 192.0.2.0 0.0.0.255 any > > access-list 150 deny ip 192.168.0.0 0.0.255.255 any > > access-list 150 deny ip 224.0.0.0 15.255.255.255 any > > access-list 150 deny ip 240.0.0.0 7.255.255.255 any > > access-list 150 deny ip 248.0.0.0 7.255.255.255 any > > access-list 150 deny ip 255.255.255.255 0.0.0.0 any > > access-list 150 permit ip any any > > > > Since Akamai has many of these around the world, they > > may have struck a deal with the ISP (read, paid $$ to ISP) > > to place these strategically at ISP sites. > > > > The packet was most likely sent with the ACK bit set. This > > would explain the fw dropping the packet with the message > > "unknown established tcp packet". Akamai is just prompting > > for some sort of response, which your fw gladly turned down. > > > > Look through your logs. I think you might find that Akamai is > > using 'known' port numbers(numbers it has seen or a few after > > them) to attempt to anticipate communications with anything it > > can find. > > > > Robert > > > > - - > > Robert P. MacDonald, Network Engineer > > e-Business Infrastructure > > G o r d o n F o o d S e r v i c e > > Voice:email: [email protected] > > > > >>> Carl E. Mankinen <[email protected]> 9/26/00 6:22:43 PM >>> > > > > > >Okay, I am seeing some strange logs on my FW1 lately. > > >I punched in the IP into google and found someone else with similar log entries and concern posted on > > >SANS. > > >(they seem to think it's a LOKI scan or something similar) > > > > > >Go to ARIN and lookup 204.178.110.52 > > >You will find this belongs to AKAMAI-TECH. > > > > > >Somehow they got past all our null0 routes, all our access lists, and managed to have a packet > > >arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION address. > > >Service 1439, tcp, S_port http > > > > > >This same host is scanning my block of addresses and attempting to talk to my bastion host on port > > >10094. > > > > > >My firewall is catching all these and dropping them, but I am really concerned about seeing RFC1814 > > >addresses > > >at my outside interface especially when my router is set to block them and they aren't routable > > >ANYWAY... > > >(however, this Akamai host is on my IAP's network...(coincidence?)) > > > > > >Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the destination after it had > > >been xlat'd??? > > >There was no nat applied on the log entry and it's a rule 0 (unknown established tcp packet) > > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================================================ > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|