Check news channels about SIP attacks and about a botnet silently scanning
the entire IPv4 range from the past week or so - there was something about
such attacks.
On Oct 24, 2012 4:45 AM, "ik" <ido...@gmail.com> wrote:
> On Tue, Oct 23, 2012 at 7:14 PM, shimi <linux...@shimi.net> wrote:
> > On Mon, Oct 22, 2012 at 11:13 AM, ik <ido...@gmail.com> wrote:
> >>
> >> Hello,
> >>
> >> I have a network with Fortigate router, active firewalls and the
> >> network itself is under NAT.
> >> It recently started to get attacked by external class A IP's (several
> >> of class A based IP blocks).
> >> We scan from outside, the network, the whole IP addresses of the
> >> network itself (that should go inside), and they are not visible from
> >> outside (except for a handful of IP addresses).
> >> The thing is, that they arrive to servers inside the network, and
> >> constantly try to attack them, scan them etc, while we see the
> >> external IP addresses of the attackers.
> >>
> >> The network contain Windows, Linux and Mac OS X machines (almost all
> >> of the desktops are Windows, and few Mac OS X).
> >> I'm looking for better ideas on what can be checked in that matter, to
> >> better understand from where they are coming from, or to figure out
> >> what is the vulnerability they are exploiting.
> >>
> >
> >
> > If I'm reading you correctly - you're saying that internal IPs get
> > connection attempts from the outside EVEN THOUGH they're not supposed to?
> > (there's no NAT rule that sends an external IP to in internal one)?
>
> You understand me correctly. There is no NAT rule that we know of that
> provide such access.
>
> >
> > If so - are you sure they're _attacking_ you? Absolutely positive that
> what
> > you're seeing is NOT returning packets for packets that have originated
> from
> > YOUR network? (could be internal computers with malware...)
>
> I see the automated scanners in the log, trying to do stuff, but they
> are very narrow cans for specific tasks of specific servers.
> For example attempting to connect to SIP extensions on Asterisk and try to
> dial.
>
>
> >
> > The reason I'm asking, is, that for a "new" connection to be established
> to
> > a machine behind NAT, you would need the NAT router to explicitly DNAT
> the
> > traffic to the internal scope. If you didn't do that - it's very weird to
> > see "new" sessions traversing the NAT router...
>
> I know, that's why I'm so puzzled with it.
>
> >
> > However, if I am not reading you correctly, and you did open access to
> the
> > internal network with DNAT rules, then I am not sure I understand what
> > you're actually asking - it seems it works as expected? Please explain
> what
> > do you mean by 'where they are coming from' - I think you already
> answered
> > the question yourself ("several of class A based...")
> >
> > So, please clarify the scenario more precisely. :)
> >
> > -- Shimi
> >
>
> _______________________________________________
> Linux-il mailing list
> Linux-il@cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
_______________________________________________
Linux-il mailing list
Linux-il@cs.huji.ac.il
http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
