I'm seeing a little of this traffic every day. The destination IP addresses are internal cache and content servers. My question is two-fold. First, why are we seeing return packets from RFC1918 space coming in from our Internet egress point? If this is legitimate web traffic, how can a client accept this packets unless he has an ESTABLISHED TCP connection with the RFC1918 address space. To extend this argument further, how can he have an established connection when the packets are unrouteable once they reach my upstream providers? Second, if this is a scan, how are the return packets going to be routed to their destiantion, provided the intruder is not sitting in the middle of the path? This is unlikely as all the links between the content filter/caching server and the Internet are WAN serial links in a secure facility... I could understand using a source port of 80, and making it a FIN scan to bypass the established keyword in an extended Cisco ACL. But this still doesn't reconcile the RFC1918 address space. What am I forgetting? Thanks, Jesse May 12 07:26:19 [170.142.1.129.7.144] 2061876: *May 12 00:33:39.118: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.201(0), 1 packet May 12 07:26:19 [170.142.1.129.7.144] 2061876: *May 12 00:33:39.118: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.201(0), 1 packet May 12 07:26:26 [170.142.1.129.7.144] 2061883: *May 12 00:33:45.582: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.201(0), 1 packet May 12 07:26:26 [170.142.1.129.7.144] 2061883: *May 12 00:33:45.582: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.201(0), 1 packet May 12 07:26:32 [170.142.1.129.7.144] 2061888: *May 12 00:33:51.422: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.195(0), 1 packet May 12 07:26:32 [170.142.1.129.7.144] 2061888: *May 12 00:33:51.422: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet1/5 0010.117d.fc08) -> 170.141.7.195(0), 1 packet May 12 07:47:32 chattanooga.tnet.state.tn.us 372957: *May 12 00:45:14.297: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 07:47:32 chattanooga.tnet.state.tn.us 372957: *May 12 00:45:14.297: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 13:37:34 chattanooga.tnet.state.tn.us 375890: *May 12 06:35:16.367: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 13:37:34 chattanooga.tnet.state.tn.us 375890: *May 12 06:35:16.367: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 13:44:29 chattanooga.tnet.state.tn.us 375943: *May 12 06:42:11.379: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 13:44:29 chattanooga.tnet.state.tn.us 375943: *May 12 06:42:11.379: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 14:18:10 chattanooga.tnet.state.tn.us 376270: *May 12 07:15:52.451: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 14:18:10 chattanooga.tnet.state.tn.us 376270: *May 12 07:15:52.451: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet May 12 14:55:48 tenn-tower.tnet.state.tn.us 132555: May 12 08:55:23.369: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/0 0010.117d.fc09) -> 207.125.247.197(0), 1 packet May 12 14:55:48 tenn-tower.tnet.state.tn.us 132555: May 12 08:55:23.369: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/0 0010.117d.fc09) -> 207.125.247.197(0), 1 packet May 12 16:01:50 chattanooga.tnet.state.tn.us 377003: *May 12 08:59:33.018: %SEC-6-IPACCESSLOGP: list 113 denied tcp 192.168.254.105(80) (Ethernet0/3 0010.1424.ac10) -> 207.125.65.181(0), 1 packet Jesse Whyte Information Security OIR/Telecommunications State of Tennessee - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
