Ahhh, I probably shouldn't be responding, since I'm not a Certified TCP
Demi-God, but what the hell.
Protocol 54 - NHRP (Next Hop Resolution Protocol)
(ref: www.cisco.com <http://www.cisco.com> )
"Protocol used by routers to dynamically discover the MAC address of other
routers and hosts connected to a NBMA network. These systems can then
directly communicate without requiring traffic to use an intermediate hop,
increasing performance in ATM, Frame Relay, SMDS, and X.25 environments. "
Without looking at lots of docco, I'd say you're just getting lost router
traffic down from your ISP. You're connected via Frame Relay, right?
The private addressing is more interesting:
First of all, make sure that none of _your_ private addresses match the ones
your firewall is logging as spoof attempts. There is a vague possibility
that your internal traffic is leaking to your external interface if your
segments aren't completely isolated. If you really for certain
abso-positively are getting stuff from the next-hop network with those IP
addresses, they've screwed up some routing tables somewhere, because the
packets should have been eaten before they got to you.
Next up, we (for example) get an absolute slew of nbname traffic - I think
it's from some "feature" of IIS or something. It tends to come from sites
that have tcp www sessions open at the same time. [1] I'm pretty sure that
we're not getting heavily targeted by 3l33t h4x0r5 all the time...certainly
they wouldn't _all_ be using some stupid udp netbios attack. We drop
probably a hundred packets a day.
Overall, I'd say apply Occam's Razor - the simplest explanation is the most
likely to be true. You _could_ be being targeted, but if you were getting
seriously probed, you'd be seeing _all sorts_ of bizarre stuff.
Fiiiiinally - in regards to what to do - don't do anything. Improve your
security if you're worried, but if you're sure the "attack" (if there is
one) isn't going to succeed, sit tight. If it gets really heavy and it's all
from one domain, you could send a polite email to the responsible person for
the source IP, but even if it's a real attack it's unlikely to be where the
attacker actually _is_ (unless they are a scriptkiddie loser, in which case
you probably don't have a lot to fear). Don't send nasty email, under any
circumstances - you'll come out looking bad.
If you really really decide that you are under attack, the rules are 1. Stay
Calm 2. Write Stuff Down.
Cheers,
[1] And I'd love to know where this comes from - anyone know if IIS tries
some weird netbios lookup on clients?
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: simon [SMTP:[EMAIL PROTECTED]]
Sent: Monday, May 10, 1999 1:34 PM
To: firewalls
Subject: intrusion via IP options and spoofing
Hi,
my network has been constantly under heavy intrusion
recently and is giving me a big headache.
My firewalls reported possible intrusiong via
ipoptions.
it reported the protocol used as 54 ( not TCP or UDP )
and without any source port.
Could it be a diagnostic program running IP options ?
What are the possibilties and dangers ?
There is also spoofing attempt by using fake ips e.g. 192.168.0.x
protocol used is udp and source port is 137 ( a.k.a. nbname )
going to destination port 137.
How is this possible, though I'm using NAT within my network
inside the internal interface of my firewall.
But the spoofing is coming from the exteranl firewall interface.
Last but not the least, I have probing as well.
In some cases of probing and ip options, I have the ip address
of the perpetrator.
What should I do ?
Any advice will be most appreciated.
TIA.
Best Regards,
Simon
Network Administrator
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
