<div dir="ltr"><div class="gmail_quote">On Mon, Oct 22, 2012 at 11:13 AM, ik <span dir="ltr"><<a href="mailto:idokan@gmail.com" target="_blank">idokan@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
<br>
I have a network with Fortigate router, active firewalls and the<br>
network itself is under NAT.<br>
It recently started to get attacked by external class A IP's (several<br>
of class A based IP blocks).<br>
We scan from outside, the network, the whole IP addresses of the<br>
network itself (that should go inside), and they are not visible from<br>
outside (except for a handful of IP addresses).<br>
The thing is, that they arrive to servers inside the network, and<br>
constantly try to attack them, scan them etc, while we see the<br>
external IP addresses of the attackers.<br>
<br>
The network contain Windows, Linux and Mac OS X machines (almost all<br>
of the desktops are Windows, and few Mac OS X).<br>
I'm looking for better ideas on what can be checked in that matter, to<br>
better understand from where they are coming from, or to figure out<br>
what is the vulnerability they are exploiting.<br>
<br></blockquote><div><br><br>If I'm reading you correctly - you're saying that internal IPs get connection attempts from the outside EVEN THOUGH they're not supposed to? (there's no NAT rule that sends an external IP to in internal one)?<br>
<br>If so - are you sure they're _attacking_ you? Absolutely positive that what you're seeing is NOT returning packets for packets that have originated from YOUR network? (could be internal computers with malware...)<br>
<br>The reason I'm asking, is, that for a "new" connection to be established to a machine behind NAT, you would need the NAT router to explicitly DNAT the traffic to the internal scope. If you didn't do that - it's very weird to see "new" sessions traversing the NAT router... <br>
<br>However, if I am not reading you correctly, and you did open access to the internal network with DNAT rules, then I am not sure I understand what you're actually asking - it seems it works as expected? Please explain what do you mean by 'where they are coming from' - I think you already answered the question yourself ("several of class A based...")<br>
<br>So, please clarify the scenario more precisely. :)<br><br>-- Shimi<br></div></div><br></div>