[Dshield] Weird portscan? (linux fw)

Clint Byrum cbyrum at erp.com
Thu May 9 17:33:54 GMT 2002


On Thu, 2002-05-09 at 01:54, Ondrej Palkovsky wrote:
> Hi all,
> I have configured a Linux firewall and added a small script, that scans
> fw logs and adds all abusers to blocklist. When access to some port is
> found, the attacker is added to the block list and all traffic is
> blocked. I have found interesting log lines from one such attacker. 

I personally feel that if you are running any kind of services, not just
clients, then the "automated blocking" features of some firewalls out
there is a bad thing. Spoofing is for real, and it is all too easy to
DoS huge portions of the net from your services just by randomly
portscanning you from spoofed addresses. This is, however, just my
opinion. Some people see this as an acceptable risk.

> It seems to me that the attacker did:
>  - finger
>  - some port scan on high UDP ports (it is possible he did it on more,
> because it takes a while before the attacker gets on the blocklist)
>  - some pings
>  - I do not understand the last line. I'm running masquerading on the
> machine, some DNATS to internal network and this seems to me like if the
> attacker was able to bypass the masquerade (the OUT= port is the port to
> local network). I have just added the 'unclean' rule to iptables to log
> similar things, but anyway - did anyone meet such a behaviour?
<snip>
> May  6 09:04:54 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=38311 PROTO=UDP SPT=38162 DPT=33649 LEN=20 
> May  6 09:04:59 linux kernel: IN=eth1 OUT= MAC=00:00:b4:a8:69:81:00:07:50:a0:8f:82:08:00 SRC=210.61.245.10 DST=62.24.69.203 LEN=40 TOS=0x00 PREC=0x00 TTL=27 ID=38312 PROTO=UDP SPT=38162 DPT=33650 LEN=20 
> May  7 10:58:35 linux kernel: IN=eth1 OUT=eth0 SRC=210.61.245.10 DST=192.168.0.211 LEN=84 TOS=0x00 PREC=0x00 TTL=231 ID=53476 DF PROTO=ICMP TYPE=0 CODE=0 ID=29306 SEQ=0 
> 

Its hard to tell without knowing your firewall, but my guess is that it
goes something like this...

PREROUTING - All packets hit this first. This is where DNAT is done. So
you must have a DNAT to 192.168.0.211 setup in there. The packet gets
changed to that destinatino address...

FORWARD - Here is where you're doing your logging. All packets not bound
for local IP's go to FORWARD.

So the packet has already been through DNAT by the time it gets to this
point. This was the very reason the "nat = x.x.x.x - y.y.y.y" option was
added to DShield.py. :-D

Oh, and those high UDP ports look like traceroute traffic to me.
Somebody correct me if I'm wrong.

-- 

------------------------------
Clint Byrum
ERP.COM 




More information about the list mailing list