Op woensdag 16 juli 2003 20:58, schreef Daniel Chemko: > I am getting some disturbing packet traffic hitting my firewall. Here > goes: > > > > IN=eth4 OUT=eth5 SRC=24.87.243.251 DST=24.57.108.11 LEN=76 TOS=0x00 > PREC=0xC0 TTL=25 > > 4 ID=17431 PROTO=ICMP TYPE=3 CODE=3 [SRC=24.57.108.11 DST=24.87.243.251 > LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=15860 DF PROTO=TCP SPT= > > 3161 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 ] > > > > None of the addresses listed in the packets are from my networks, but > what is more disturbing is that eth4 is my internal network interface. > Can anyone see (baring an internal intrusion has occurred) how this can > happen? > > > > It definitely appears to be an exploit on my configuration or something. To snif out hackers , to watch their activities, or block them ,you could put a bridge in front of your firewall ( OpenBSD perhaps ). Since the bridge has no IP-address no hacker noticed that you're watching, or has no clue what blocks him. Even better , the bridge can not be attacked or hacked. ( since there is no ip-address the bridge is NOT seen as a part of youre network , no extra HOP is seen, makes it almost invissible ) Some advanced method could be a honeypot. This can give you more output about attacks or whatever an intruder wants to. Pascal
