1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Firewall riddle.

Discussion in 'Networking' started by O111111O, Feb 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. O111111O

    O111111O Thread Starter

    Joined:
    Aug 26, 2005
    Messages:
    894
    Here's a good one that was posed to me earlier, whoever can answer this gets all of the water they can drink from their tap for free... :)

    This is a log excerpt from a real production system, the system is behind a firewall, but also runs IPTables.
    The firewall static NAT's 172.16.1.158 to a public IP.
    The firewall has rulesets to allow TCP 80,443, ICMP unreachable, ICMP source quench, and ICMP echo reply to host.


    The IP's have been changed to RFC1918 address space, other than that nothing has been altered.

    [17200096.764000] bad_incoming_packet IN=eth0 OUT=
    MAC=00:02:3f:20:a6:31:00:07:4f:77:1f:fc:08:00 SRC=10.255.255.254
    DST=172.16.1.158 LEN=112 TOS=0x00 PREC=0x00 TTL=242 ID=1 DF
    PROTO=ICMP TYPE=3 CODE=3 [SRC=172.16.1.158 DST=10.255.255.254 LEN=758 TOS=0x00
    PREC=0x00 TTL=113 ID=29974 PROTO=UDP SPT=23961 DPT=1026 LEN=738 ]

    Host @ 172.16.1.158 received ICMP Type 3 Code 3 from 10.255.255.254.
    Host 172.16.1.158 never originated a packet.

    The question are:
    Why did 172.16.1.158 receive this packet?
    What conditions would allow this packet to traverse the exterior firewall?
     
  2. O111111O

    O111111O Thread Starter

    Joined:
    Aug 26, 2005
    Messages:
    894
    Ok, I've got a potential for $80k per year starting salary for anybody that can answer this.
     
  3. waymanjp

    waymanjp

    Joined:
    Mar 20, 2007
    Messages:
    7
    Hello 126,

    I am not very familiar with iptables, but I am a network analyst and I am somewhat proficient with Cisco pix. I believe you might have answered part of your question with that log sample you gave. The message that you are receiving is an ICMP unreachable (more specifically port unreachable) message. Therefore, if I understand what you have written, it appears that the reason the traffic is reaching the inside host is because it has been permitted.

    Now, as far as 172.16.1.158 never originating a packet.. that is definitely strange. If this is in fact the case. The only thing off the top of my head that I can think of that would cause this scenario would be someone spoofing the public IP of this host.

    So, if we go with the spoofing theory.
    Why would someone spoof addresses for traffic that would generate this type of traffic?
    We can see that the destination port of the original packet was udp/1026. The most common thing associated with udp/1026 is annoying windows messenger service spam (at least for people who have the windows messenger service exposed to the internet). I would expect this to be the most likely thing since these types of messages are essentially single packet attacks, therefore spoofing the source address allows the spammer to accomplish what he/she wants (the message gets to it's destination).. and also spoofing the source address means that you can send tons of these messages to random hosts without flooding your own connection (the sender) with ICMP unreachable messages when the destination hosts respond with ICMP port unreachable because it is not running a service on that port, or because some sort of security device/software has sent an ICMP port unreachable message because that type of traffic is blocked.

    I haven't researched this much.. other than looking up the ICMP types and the destination port.. so this is just a theory.

    My suggestion would be to ditch the ICMP unreachable rule.. unless it is necessary for other applications in your environment.

    Anyway.. hope this helps.

    Sincerely,

    Jon
     
  4. O111111O

    O111111O Thread Starter

    Joined:
    Aug 26, 2005
    Messages:
    894
    Hello Jon.

    You're the first person on this forum to answer at all, or one of the few people that have provided a reasonable answer [I posted this 2+ years ago in Cisco Netpro, you'd be amazed at how many wrong answers there are.] In essence, you're 100% correct.

    The log excerpt is from IPtables, and the packet was generated with Hping to emulate

    The excerpt is a case example of what happens quite a bit, and what many of the people in my group deal with (questions from customers, "why do I see this alert".) Winpopup spam with spoofed source IP sent "buy xxx" popup payload to random host, random host replied with ICMP unreachable as it wasn't listening to UDP 1026 to the spoofed source address. The spoofed source address and corresponding firewall log showed an out of state ICMP packet received. IPS/IDS also tends to throw alarms.

    This is a question/case example I give to our 1st and 2nd tier network folks.

    With regard to ditching ICMP unreachable - keep in mind that many other security folks have the propensity to do this. Dropping unreachables breaks Path MTU detection. If you like PMTUd, you need end-to-end ICMP unreach. [Along with source quench]

    Also, bonus points for the name. [The last 3 digits of CCIE cert end in 126, it's also ASCII table first digit of last name - I kinda liked it]
     
  5. StumpedTechy

    StumpedTechy

    Joined:
    Jul 7, 2004
    Messages:
    7,234
    The downs and dirtys of routing and firewalls still elude me. I am okay with IPs and a little fuzzy with subnetting but anything deeper has more of a "mathy" feel to me and thats where I fall short. I can understand principals of it when explained I just don't retain it because I don't use it.

    My answer would have been 42 (The meaning of life, the universe, and everything). :)
     
  6. O111111O

    O111111O Thread Starter

    Joined:
    Aug 26, 2005
    Messages:
    894
    Trust me, I forget/don't retain things all day long. I know what you mean.

    http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?tp=&arnumber=1377460&isnumber=30066 - Read that 5 times fast. It makes you forget things like, days of the week, family member names, where you keys are, etc.
     
  7. waymanjp

    waymanjp

    Joined:
    Mar 20, 2007
    Messages:
    7
    Alright, now you're just trying to confuse everyone when you start talking about WDM.. :p I'm glad I got your question right on the firewall riddle :). Although, it seems that you already knew the answer. Since this was a test is there some sort of prize associated? I assume you were joking about the 80k a year.

    By the way, what line of work are you in? Consultation or do you have your own environment that you manage?

    Entertained,

    Jon
     
  8. O111111O

    O111111O Thread Starter

    Joined:
    Aug 26, 2005
    Messages:
    894
    Yep, I get to bring vendors in and quiz them nowadays. Had Cisco in last week quizzing their engineers from Monza about Multidegree ROADM's & 4-wave mixing. Bleeding edge products......... [Scary thing is, I think I have business need to use it.]

    Consulting? You know what they say about consulting: "If you're not a part of the solution, there's good money to be made in prolonging the problem."

    Engineer. Used to work for a manufacturer. Too much traveling. Had to slow down. Now run nerd tank for a relatively small carrier/managed service provider. [$2.5b company] Large enough to deal with Fortune 10 clients, small enough that I don't have to worry about 3 states a week.

    I come here because I honestly don't get to opportunity to do much nowadays. I spend majority of my time in some form of meeting or on the phone nowadays........ :(

    Wasn't joking, had hire ticket. Recruiters had postings in places like Monster & elsewhere. Ended up hiring somebody with CISSP [not first choice]

    So, as far to answering the question; Your prize is general acceptance in this community that you can provide some packet forensics. Oh yeah, all the water that you can drink from the tap. ;)

    I'll PM you my email. Send resume. Always looking.

    Here's another challenge: Figure out where I work.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542880

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice