Fortigate router, and security attacks

Fortigate router, and security attacks

shimi linux-il at shimi.net
Tue Oct 23 19:14:13 IST 2012 

On Mon, Oct 22, 2012 at 11:13 AM, ik <idokan at gmail.com> wrote:

> Hello,
>
> I have a network with Fortigate router, active firewalls and the
> network itself is under NAT.
> It recently started to get attacked by external class A IP's (several
> of class A based IP blocks).
> We scan from outside, the network, the whole IP addresses of the
> network itself (that should go inside), and they are not visible from
> outside (except for a handful of IP addresses).
> The thing is, that they arrive to servers inside the network, and
> constantly try to attack them, scan them etc, while we see the
> external IP addresses of the attackers.
>
> The network contain Windows, Linux and Mac OS X machines (almost all
> of the desktops are Windows, and few Mac OS X).
> I'm looking for better ideas on what can be checked in that matter, to
> better understand from where they are coming from, or to figure out
> what is the vulnerability they are exploiting.
>
>

If I'm reading you correctly - you're saying that internal IPs get
connection attempts from the outside EVEN THOUGH they're not supposed to?
(there's no NAT rule that sends an external IP to in internal one)?

If so - are you sure they're _attacking_ you? Absolutely positive that what
you're seeing is NOT returning packets for packets that have originated
from YOUR network? (could be internal computers with malware...)

The reason I'm asking, is, that for a "new" connection to be established to
a machine behind NAT, you would need the NAT router to explicitly DNAT the
traffic to the internal scope. If you didn't do that - it's very weird to
see "new" sessions traversing the NAT router...

However, if I am not reading you correctly, and you did open access to the
internal network with DNAT rules, then I am not sure I understand what
you're actually asking - it seems it works as expected? Please explain what
do you mean by 'where they are coming from' - I think you already answered
the question yourself ("several of class A based...")

So, please clarify the scenario more precisely. :)

-- Shimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20121023/9b6e019f/attachment.html>

More information about the Linux-il mailing list