Carl,
Are you referring to RFC1918 addresses? Technically
these are routable, but _most_ ISP will drop these(this
is where most say they are not routable.) But if they
originate from the ISP, they can do what they want. What
does your ACL's look like for blocking these? Should
be something like(fast rip from Sans site w/other IP nets
http://www.sans.org/dosstep/cisco_spoof.htm )
no access-list 150
access-list 150 deny ip 0.0.0.0 0.255.255.255 any
access-list 150 deny ip 10.0.0.0 0.255.255.255 any
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip 169.254.0.0 0.0.255.255 any
access-list 150 deny ip 172.16.0.0 0.15.255.255 any
access-list 150 deny ip 192.0.2.0 0.0.0.255 any
access-list 150 deny ip 192.168.0.0 0.0.255.255 any
access-list 150 deny ip 224.0.0.0 15.255.255.255 any
access-list 150 deny ip 240.0.0.0 7.255.255.255 any
access-list 150 deny ip 248.0.0.0 7.255.255.255 any
access-list 150 deny ip 255.255.255.255 0.0.0.0 any
access-list 150 permit ip any any
Since Akamai has many of these around the world, they
may have struck a deal with the ISP (read, paid $$ to ISP)
to place these strategically at ISP sites.
The packet was most likely sent with the ACK bit set. This
would explain the fw dropping the packet with the message
"unknown established tcp packet". Akamai is just prompting
for some sort of response, which your fw gladly turned down.
Look through your logs. I think you might find that Akamai is
using 'known' port numbers(numbers it has seen or a few after
them) to attempt to anticipate communications with anything it
can find.
Robert
- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> Carl E. Mankinen <[EMAIL PROTECTED]> 9/26/00 6:22:43 PM >>>
>
>Okay, I am seeing some strange logs on my FW1 lately.
>I punched in the IP into google and found someone else with similar log entries and
>concern posted on
>SANS.
>(they seem to think it's a LOKI scan or something similar)
>
>Go to ARIN and lookup 204.178.110.52
>You will find this belongs to AKAMAI-TECH.
>
>Somehow they got past all our null0 routes, all our access lists, and managed to have
>a packet
>arrive at my FW's outside interface SOURCEd from AKAMAI with a RFC1814 DESTINATION
>address.
>Service 1439, tcp, S_port http
>
>This same host is scanning my block of addresses and attempting to talk to my bastion
>host on port
>10094.
>
>My firewall is catching all these and dropping them, but I am really concerned about
>seeing RFC1814
>addresses
>at my outside interface especially when my router is set to block them and they
>aren't routable
>ANYWAY...
>(however, this Akamai host is on my IAP's network...(coincidence?))
>
>Is it possible that FW1 did not log the addresses correctly? Perhaps it logged the
>destination after it had
>been xlat'd???
>There was no nat applied on the log entry and it's a rule 0 (unknown established tcp
>packet)
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
