On Lynk's GNAT Box, I've set up some filters to reduce
false alarms, using the "#DEFAULT: Block/nolog stale
WWW accesses" filter as a model. One of these filters
eliminates alarms caused by private address traffic
like what you are seeing.
The filters and the objects they depend on look something
like what I show below. When I find a legitimate host on
the Internet that often sends back late replies, I add it
to the "SLOWPOKES" object.
Objects
Addresses
BROADCAST - Broadcast Addresses
Index Type Beginning Ending
----- ----- --------------- ---------------
1 mask 255.255.255.255 255.255.255.255
2 mask 192.111.31.255 192.111.31.255
PRIVATE - RFC1918 Private Addresses
Index Type Beginning Ending
----- ----- --------------- ---------------
1 mask 10.0.0.0 10.255.255.255
2 mask 172.16.0.0 172.31.255.255
3 mask 192.168.0.0 192.168.255.255
SECURITYSCANNERS - Sites that allow you to scan your own system
Index Type Beginning Ending
----- ----- --------------- ---------------
1 host 207.71.92.193
2 host 207.71.92.221
SLOWPOKES - Internet Hosts that frequently send back late replies
Index Type Beginning Ending
----- ----- --------------- ---------------
1 mask 209.185.151.0 209.185.151.255
Filters
Remote Access
#Block/nolog stale FTP, SMTP, DNS, POP3, and HTTPS (TCP)
Deny ANY TCP nolog
from "ANY_IP" 20 21 25 53 110 443
to "ANY_IP" 1024:65535
#Block/nolog stale DNS (UDP)
Deny ANY UDP nolog
from "ANY_IP" 53
to "ANY_IP" 1024:65535
#Block/nolog stale access from known "slow" hosts
Deny ANY TCP nolog
from "SLOWPOKES"
to "ANY_IP" 1024:65535
#Block/nolog broadcast traffic
Deny ANY ALL nolog
from "ANY_IP"
to "BROADCAST"
#Block/nolog Private Address traffic (TCP)
Deny ANY TCP nolog
from "PRIVATE"
to "ANY_IP" 1025:65535
#Block/nolog Private Address traffic (UDP)
Deny ANY UDP nolog
from "PRIVATE"
to "ANY_IP" 1025:65535
#Block/nolog traffic from automated security scanners
Deny ANY ALL nolog
from "ANY_IP"
to "SECURITYSCANNERS"
> -----Original Message-----
> From: Mike Burden
> Sent: Tuesday, October 09, 2001 10:42 AM
> To: 'Marc Suxdorf'
> Cc: GNAT Box Users Group (E-mail)
> Subject: RE: Filter question
>
>
> If someone has an email client configured to check email
> on an outside service every X minutes, that would likely
> explain why it happens overnight.
>
> After I wrote the above paragraph, I took a closer look
> at the alarm message. 172.26.140.8 is a "private" address
> (See RFC1918 at http://www2.hunter.com/docs/rfc/rfc1918.html
> for more information about private addresses). This most
> likely means that someone using the same ISP as you is
> "leaking" private address traffic and your ISP is not
> filtering it (most don't).
>
> There doesn't seem to be enough traffic to think that
> someone is attempting to mount a denial of service attack,
> and since the traffic is coming from a private address
> space there is no way that reply packets could return to
> the host that originated these packets, so I would have
> to conclude that this is the result of cluelessness on
> the part of someone using the same ISP as you rather than
> any sort of malicious intent.
>
> Mike Burden
> Lynk Systems
> http://www.lynk.com
> (616)532-4985
> [EMAIL PROTECTED]
>
>
>
> > -----Original Message-----
> > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, October 09, 2001 10:38 AM
> > To: 'Mike Burden'
> > Subject: AW: Filter question
> >
> >
> > Hi Mike
> >
> > Thanks for taking the time to answer. Strangely most of these
> > reports happen
> > over night and the remote IP addresses cannot be resolved,
> > that's what made
> > me suspicious?
> > Please let me know if you have other ideas.
> >
> > Thanks a lot and best wishes
> >
> > Marc
> >
> > Suxdorf Studios f�r Design
> > Milchstrasse 6b
> > D-20148 Hamburg
> > Tel +49 (40) 41345-100
> > Fax +49 (40) 41345-101
> > Email [EMAIL PROTECTED]
> >
> > -----Urspr�ngliche Nachricht-----
> > Von: Mike Burden [mailto:[EMAIL PROTECTED]]
> > Gesendet: Dienstag, 9. Oktober 2001 16:20
> > An: Marc Suxdorf; '[EMAIL PROTECTED]'
> > Betreff: RE: Filter question
> >
> > I answered on Friday, but it looks like my response never
> > got through, so I'll try again:
> >
> > The traffic is coming *FROM* port 110, not *TO* port 110.
> > This means that the POP server is on the Internet, not
> > a host on the Internet trying to contact a POP server on
> > your network.
> >
> > What this most likely means is that someone on your network
> > is retrieving email from an email server outside of your
> > network, such as Yahoo, Hotmail, or somesuch.
> >
> > When the server on the Internet is overloaded, or when
> > there is network congestion between your network and the
> > server, then some network packets come back after the
> > GNAT Box has stopped expecting them. The GNAT Box then
> > treats these as an attempt at an unsolicited inbound
> > connection, and generates alarm messages.
> >
> > Mike Burden
> > Lynk Systems
> > http://www.lynk.com
> > (616)532-4985
> > [EMAIL PROTECTED]
> >
> >
> >
> > > -----Original Message-----
> > > From: Marc Suxdorf [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, October 09, 2001 3:13 AM
> > > To: '[EMAIL PROTECTED]'
> > > Subject: RE: Filter question
> > >
> > >
> > > --------------------- Attention -----------------------------
> > > A digest version of this list is now available.
> > > Send email to [EMAIL PROTECTED], with the following message:
> > > subscribe gb-users-digest your_email_address
> > > Then unsubscribe from this list.
> > > -------------------------------------------------------------
> > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi
> > > Send postings to: [EMAIL PROTECTED]
> > > Access the list archives at: http://www.gnatbox.com/gb-users/
> > > -------------------------------------------------------------
> > > Hi again
> > >
> > > I know, I am not a pro and maybe I should know this<g>. But
> > > still, maybe
> > > someone could just quickly let me know whether I am
> paranoid or not
> > > (referred to my post below....).
> > >
> > > Thanks a lot!
> > >
> > > Marc
> > >
> > >
> > > -----Urspr�ngliche Nachricht-----
> > > Von: Marc Suxdorf [mailto:[EMAIL PROTECTED]]
> > > Gesendet: Freitag, 5. Oktober 2001 09:40
> > > An: '[EMAIL PROTECTED]'
> > > Betreff: Filter question
> > >
> > > --------------------- Attention -----------------------------
> > > A digest version of this list is now available.
> > > Send email to [EMAIL PROTECTED], with the following message:
> > > subscribe gb-users-digest your_email_address Then unsubscribe
> > > from this
> > > list.
> > > -------------------------------------------------------------
> > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi
> > > Send postings to: [EMAIL PROTECTED]
> > > Access the list archives at: http://www.gnatbox.com/gb-users/
> > >
> > >
> > > -------------------------------------------------------------
> > > Hi everyone
> > > I get a lot of access attempts from ports 110 to very high
> > > ports on my two
> > > public IP addresses. I don't have a POP3 server running on
> > > the gnat box, nor
> > > do I have inbound filters configured for port 110. Could it
> > > be that trojans
> > > or hackers use 110 as their destination port in order to
> camouflage
> > > something?
> > > Thanks for any help
> > > Marc
> > > 04-10-2001 16:22:09 Local1.Warning 10.0.0.23 Oct 4 16:26:05
> > > FILTER: Remote
> > > access filter blocks: TCP ep0
> > > [172.26.140.8/110]->[XXX.XXX.XXX.XXX/22453]
> > > l=0 f=0x4.
> > >
> > > ----------------------------------------------
> > > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > > with "unsubscribe gb-users your_email_address
> > > in the body of the message
> > >
> > >
> > > ----------------------------------------------
> > > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > > with "unsubscribe gb-users your_email_address
> > > in the body of the message
> > >
> >
> >
>
