(PM) Several questions on filters and syslog msgs

MikeK@NetDotCom ("MikeK@NetDotCom")
Thu, 1 Apr 1999 11:04:17 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Thomas C Kinnen: "Re: (PM) Re: (RADIUS) Radius no authenticating?"
Previous message: Stephen Johnson: "(PM) PMVision not connecting"
Next in thread: Thomas C Kinnen: "Re: (PM) Several questions on filters and syslog msgs"

209.57.166.0 and 209.57.176.0 are my subnets. The first syslog section
shows what I believe is a DOS attack. Am I correct? The second section has
to do with the filters. I so what I believe are valid requests that are
being blocked. Any ideas?

This is my internet.in filter
1 deny 209.57.166.0/24 0.0.0.0/0 ip log
2 deny 209.57.176.0/24 0.0.0.0/0 ip log
3 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 137
4 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 138
5 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 139
6 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 137
7 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 138
8 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 139
9 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 23 log
10 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 161 log
11 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 161 log
12 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 12345 log
13 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 12345 log
14 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 31337 log
15 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 31337 log
16 permit 0.0.0.0/0 209.57.166.0/24 ip
17 permit 0.0.0.0/0 209.57.176.0/24 ip

This is my internet.out filter:
1 deny 0.0.0.0/0 209.57.166.0/24 ip log
2 deny 0.0.0.0/0 209.57.176.0/24 ip log
3 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 137
4 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 138
5 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 139
6 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 137
7 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 138
8 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 139
9 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 12345 log
10 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 12345 log
11 deny 0.0.0.0/0 0.0.0.0/0 tcp dst eq 31337 log
12 deny 0.0.0.0/0 0.0.0.0/0 udp dst eq 31337 log
13 permit 209.57.166.0/24 0.0.0.0/0 ip
14 permit 209.57.176.0/24 0.0.0.0/0 ip

Is this a DOS SYN type attack?

Mar 30 09:42:50 1999 gw1.netdotcom.com 2 deny: TCP from 195.163.75.107.1137
to 209.57.176.112.40421 seq 207F7C, ack 0x0, win 8192, SYN
Mar 30 09:42:50 1999 gw1.netdotcom.com 2 deny: TCP from 195.163.75.107.1138
to 209.57.176.113.40421 seq 207F7D, ack 0x0, win 8192, SYN
Mar 30 09:42:50 1999 gw1.netdotcom.com 2 deny: TCP from 195.163.75.107.1142
to 209.57.176.117.40421 seq 207F7F, ack 0x0, win 8192, SYN
Mar 30 09:42:50 1999 gw1.netdotcom.com 2 deny: TCP from 195.163.75.107.1153
to 209.57.176.128.40421 seq 207F85, ack 0x0, win 8192, SYN

Why are these being blocked?

Mar 29 11:12:34 1999 gw1.netdotcom.com 2 deny: UDP from 209.57.166.3.53 to
209.57.176.165.2247
Mar 29 11:12:48 1999 gw1.netdotcom.com 2 deny: UDP from 208.236.12.46.1157
to 209.57.176.46.1265
Mar 29 11:12:48 1999 gw1.netdotcom.com 2 deny: TCP from 207.82.250.251.80
to 209.57.176.98.1084 seq 49F39715, ack 0x9A560F, win 16616, RST ACK
Mar 29 11:12:48 1999 gw1.netdotcom.com 2 deny: TCP from 207.59.71.150.80 to
209.57.176.50.1049 seq 1545410F, ack 0xA4B8585, win 8576, SYN ACK
Mar 29 11:12:35 1999 gw1.netdotcom.com 2 deny: UDP from 208.236.12.46.1157
to 209.57.176.46.1265

I have many others. Note the first one is a DNS request. Could the user have
disconnected and the packets are still bouncing around?

Mike K

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>

Next message: Thomas C Kinnen: "Re: (PM) Re: (RADIUS) Radius no authenticating?"
Previous message: Stephen Johnson: "(PM) PMVision not connecting"
Next in thread: Thomas C Kinnen: "Re: (PM) Several questions on filters and syslog msgs"