Fortigate router, and security attacks

Fortigate router, and security attacks

ik idokan at gmail.com
Tue Oct 23 19:40:29 IST 2012 

On Tue, Oct 23, 2012 at 7:14 PM, shimi <linux-il at shimi.net> wrote:
> On Mon, Oct 22, 2012 at 11:13 AM, ik <idokan at gmail.com> wrote:
>>
>> Hello,
>>
>> I have a network with Fortigate router, active firewalls and the
>> network itself is under NAT.
>> It recently started to get attacked by external class A IP's (several
>> of class A based IP blocks).
>> We scan from outside, the network, the whole IP addresses of the
>> network itself (that should go inside), and they are not visible from
>> outside (except for a handful of IP addresses).
>> The thing is, that they arrive to servers inside the network, and
>> constantly try to attack them, scan them etc, while we see the
>> external IP addresses of the attackers.
>>
>> The network contain Windows, Linux and Mac OS X machines (almost all
>> of the desktops are Windows, and few Mac OS X).
>> I'm looking for better ideas on what can be checked in that matter, to
>> better understand from where they are coming from, or to figure out
>> what is the vulnerability they are exploiting.
>>
>
>
> If I'm reading you correctly - you're saying that internal IPs get
> connection attempts from the outside EVEN THOUGH they're not supposed to?
> (there's no NAT rule that sends an external IP to in internal one)?

You understand me correctly. There is no NAT rule that we know of that
provide such access.

>
> If so - are you sure they're _attacking_ you? Absolutely positive that what
> you're seeing is NOT returning packets for packets that have originated from
> YOUR network? (could be internal computers with malware...)

I see the automated scanners in the log, trying to do stuff,  but they
are very narrow cans for specific tasks of specific servers.
For example attempting to connect to SIP extensions on Asterisk and try to dial.


>
> The reason I'm asking, is, that for a "new" connection to be established to
> a machine behind NAT, you would need the NAT router to explicitly DNAT the
> traffic to the internal scope. If you didn't do that - it's very weird to
> see "new" sessions traversing the NAT router...

I know, that's why I'm so puzzled with it.

>
> However, if I am not reading you correctly, and you did open access to the
> internal network with DNAT rules, then I am not sure I understand what
> you're actually asking - it seems it works as expected? Please explain what
> do you mean by 'where they are coming from' - I think you already answered
> the question yourself ("several of class A based...")
>
> So, please clarify the scenario more precisely. :)
>
> -- Shimi
>

More information about the Linux-il mailing list