[Dshield] Probes to 27960

Charles Hamby fixer at gci.net
Mon Mar 17 18:32:16 GMT 2003


Nope, actually 192.168.0.5 is the address of my firewall.  My network is
actually setup a little oddly, but my router (192.168.0.2) is considered
an untrusted address by my firewall so I forward all traffic from my
router to my firewall which my default drops everything.  The clients
then sit on the trusted side of the firewall.  So it looks like this:



Cable modem--------router-------firewall--------client1-------client2


Everything is forwarded because a) the router can't block UDP traffic at
all and b) the I have much better control over traffic management at the
firewall so I just send it all to the firewall and just use the router
to drop ICMP.  The only packet that's gotten past the firewall is the
one that I allowed past when I forwarded it to my Linux box that I had
TCPdump running.

-CDH

-----Original Message-----
From: Chateauneuf [mailto:dupape at bellatlantic.net] 
Sent: Sunday, March 16, 2003 12:43 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Probes to 27960

At 10:31 AM 3/16/2003 -0900, Charles Hamby authored the following:
>Recently I've been seeing some odd probes to UDP 27960, and I was
>wondering if anyone else had seen any or if anyone could comment.
>Here's a sample from my logs:
>2003/03/15        04:07:48.18       I                       67.34.53.45
>adsl-34-53-45.mia.bellsouth.net   58571   192.168.0.5            27960
Maybe I'm missing something but these are all connections to inside 
addresses which means that the traffic has been forwarded. Again, maybe 
it's me but either you have a serious security flaw or this is traffic 
being received through your web browser or similar client. 




More information about the list mailing list