<p>Check news channels about SIP attacks and about a botnet silently scanning the entire IPv4 range from the past week or so - there was something about such attacks.</p>
<div class="gmail_quote">On Oct 24, 2012 4:45 AM, "ik" <<a href="mailto:idokan@gmail.com">idokan@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, Oct 23, 2012 at 7:14 PM, shimi <<a href="mailto:linux-il@shimi.net">linux-il@shimi.net</a>> wrote:<br>
> On Mon, Oct 22, 2012 at 11:13 AM, ik <<a href="mailto:idokan@gmail.com">idokan@gmail.com</a>> wrote:<br>
>><br>
>> Hello,<br>
>><br>
>> I have a network with Fortigate router, active firewalls and the<br>
>> network itself is under NAT.<br>
>> It recently started to get attacked by external class A IP's (several<br>
>> of class A based IP blocks).<br>
>> We scan from outside, the network, the whole IP addresses of the<br>
>> network itself (that should go inside), and they are not visible from<br>
>> outside (except for a handful of IP addresses).<br>
>> The thing is, that they arrive to servers inside the network, and<br>
>> constantly try to attack them, scan them etc, while we see the<br>
>> external IP addresses of the attackers.<br>
>><br>
>> The network contain Windows, Linux and Mac OS X machines (almost all<br>
>> of the desktops are Windows, and few Mac OS X).<br>
>> I'm looking for better ideas on what can be checked in that matter, to<br>
>> better understand from where they are coming from, or to figure out<br>
>> what is the vulnerability they are exploiting.<br>
>><br>
><br>
><br>
> If I'm reading you correctly - you're saying that internal IPs get<br>
> connection attempts from the outside EVEN THOUGH they're not supposed to?<br>
> (there's no NAT rule that sends an external IP to in internal one)?<br>
<br>
You understand me correctly. There is no NAT rule that we know of that<br>
provide such access.<br>
<br>
><br>
> If so - are you sure they're _attacking_ you? Absolutely positive that what<br>
> you're seeing is NOT returning packets for packets that have originated from<br>
> YOUR network? (could be internal computers with malware...)<br>
<br>
I see the automated scanners in the log, trying to do stuff, but they<br>
are very narrow cans for specific tasks of specific servers.<br>
For example attempting to connect to SIP extensions on Asterisk and try to dial.<br>
<br>
<br>
><br>
> The reason I'm asking, is, that for a "new" connection to be established to<br>
> a machine behind NAT, you would need the NAT router to explicitly DNAT the<br>
> traffic to the internal scope. If you didn't do that - it's very weird to<br>
> see "new" sessions traversing the NAT router...<br>
<br>
I know, that's why I'm so puzzled with it.<br>
<br>
><br>
> However, if I am not reading you correctly, and you did open access to the<br>
> internal network with DNAT rules, then I am not sure I understand what<br>
> you're actually asking - it seems it works as expected? Please explain what<br>
> do you mean by 'where they are coming from' - I think you already answered<br>
> the question yourself ("several of class A based...")<br>
><br>
> So, please clarify the scenario more precisely. :)<br>
><br>
> -- Shimi<br>
><br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</blockquote></div>