[Dshield] Odd Behavior?
security at admin.fulgan.com
Mon May 13 15:03:18 GMT 2002
If the remote SMTP server is using an ISDN router, it might just be
making sure the link is established before actually trying to connect
to your server.
I might add that auto-blocking based on PING might be quite a bit too
much since it makes you very vulnerable to DOS (Anyone sending ICMP
ECHO requests with the spoofed IPs of root DNS server will, for
instance, disable all DNS resolution on your site). It is unwise to
auto-block easily spoofable protocols (like ICMP and UDP).
Monday, May 13, 2002, 4:12:43 PM, you wrote:
LJ> Below is a snip from my Watchguard Firebox log. I have it set up to deny pings and auto block those sites. When one particular mail sever attempts to send mail to me it gets blocked because it
LJ> also attempts to ping me. Has anyone seen this type of behavior or know why their mail server might be doing this.
LJ> allow in eth0 44 tcp 20 45 184.108.40.206 208.XXX.XXX.XXX 53420 25 syn (SMTP)
LJ> deny in eth0 1500 icmp 20 240 220.127.116.11 208.XXX.XXX.XXX 8 0 (Ping)
LJ> deny in eth0 40 tcp 20 45 18.104.22.168 208.XXX.XXX.XXX 53420 25 ack (blocked site)
Stephane mailto:security at admin.fulgan.com
More information about the list