-
January 7th, 2004, 02:51 AM
#1
Junior Member
ACL question
I was looking through my firewall logs today and found some entries that indicated my public ip addresses were being scanned for port 111. What is unusual about this is the firewall is behind a router with an ACL on the external interface that specifically denies port 111. I reviewed the ACL to make sure there were no holes in it which would allow this traffic through, but did not see anything. I had another engineer look it over and he saw nothing that would allow it through either. All the source ports were above 53,000 and all the entries were from the same source IP. I added a deny for the source IP to the top of the ACL to hopefully block any future scans.
The ACL is scripted to allow only traffic through to specific IP/port combinations. I checked to make sure the ACL was applied to the external interface and it was. Is there a new exploit that allows traffic to bypass ACL's? Does anyone have any ideas what might have caused this?
We have no external exposure on port 111, but if something can punch through the ACL, I am greatly concerned about other ports.
________________________________________________________________
"Any sufficiently advanced technology is indistinguishable from magic."
- Arthur C. Clarke
-
January 7th, 2004, 10:09 AM
#2
What's the brand of your firewall and router? Cisco?
What kind of packets are going through? SYNs or SYN/ACKs? Maybe RST?
Some routers seem to have ACLs but they may not be statefull. So the ACL may block just regular SYN packets and allow SYN/ACKs or plain ACK.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 7th, 2004, 02:06 PM
#3
Junior Member
The firewall and router are both Cisco. I can't tell what type of packets they are because I am sending the messages to syslog, which only indicates that they are tcp packets.
The line for port 111 in the ACL is "deny tcp any any eq sunrpc". Would Cisco extended ACL's allow any kind of packet through with this line?
\"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke
-
January 7th, 2004, 02:14 PM
#4
1) Are there any permits before then? I.e., permit udp any eq 53 any or something like that? This would potentially explain how they could do it...
2) I have seen problems with ACL's on routers in that they do not do fragment reassembly. Heavily fragmented packets have bypassed our ACL's before (and were promptly squashed by the firewall).
3) Look at the timestamps of the events. Were they short in duration and in a burst? Did this correspond with you updating an ACL?
Anyway, there are alot of possibilities, have a look at those and lets us know.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
January 7th, 2004, 02:24 PM
#5
Probably the only way to be sure is to hook up a sniffer. This will give you an opportunity to look at the actual packets that are going through. Without knowing how the packets look (src ip, dest ip, src port, dest port, flags etc) you can only guess at what's going on.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 7th, 2004, 10:17 PM
#6
Junior Member
There are (or were, as I have since moved the deny 111 statement to the top of the ACL) permits prior to the deny 111 statement, but they were permit udp eq 53 and the packets that got through for port 111 were tcp. I am not allowing tcp eq 53 through.
I have had zero hits on the deny 111 statement since moving it to the top of the ACL, so this was probably a reconnaissance and I may not see any more traffic from that IP. I also blocked the host ip and have had zero hits on that line too. If it was happening regularly, I could sniff the traffic, but it may have just been an isolated incident.
I'll just have to keep an eye on things.
Thanks for the replies and suggestions.
\"Any sufficiently advanced technology is indistinguishable from magic.\" - Arthur C. Clarke
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|