[Dshield] Odd Behavior?

Stephane Grobety security at admin.fulgan.com
Mon May 13 15:03:18 GMT 2002


Hello Linda,

If the remote SMTP server is using an ISDN router, it might just be
making sure the link is established before actually trying to connect
to your server.

I might add that auto-blocking based on PING might be quite a bit too
much since it makes you very vulnerable to DOS (Anyone sending ICMP
ECHO requests with the spoofed IPs of root DNS server will, for
instance, disable all DNS resolution on your site). It is unwise to
auto-block easily spoofable protocols (like ICMP and UDP).

Good luck,
Stephane

Monday, May 13, 2002, 4:12:43 PM, you wrote:

LJ> Below is a snip from my Watchguard Firebox log. I have it set up to deny pings and auto block those sites. When one particular mail sever attempts to send mail to me it gets blocked because it
LJ> also attempts to ping me. Has anyone seen this type of behavior or know why their mail server might be doing this.

LJ> allow   in eth0 44 tcp 20 45 35.9.5.24 208.XXX.XXX.XXX 53420 25 syn (SMTP)      
LJ> deny in eth0 1500 icmp 20 240   35.9.5.24 208.XXX.XXX.XXX 8 0 (Ping)
LJ> deny in eth0 40 tcp 20 45 35.9.5.24 208.XXX.XXX.XXX 53420 25 ack (blocked site)


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list