IP Source route attack

T20
12.6
We're getting many ip source route attack from different external ip addresses. Anything we need to do or the firebox is doing the job of blocking.

Thanks.

Comments

  • The firewall is blocking these. You are just getting log entries showing that the firewall is blocking them.

  • Ok. Thanks Bruce! It’s strange that we got these logs after a firebox reboot.

  • Could be a coincidence

    Care to post a sample or 2?
    You can xxx out some of your external IP addr

  • WGMWGM
    edited June 22

    Hi Bruce,

    Below is the info:
    FWDeny, Ipv4 source route record route attack pri=4 disp=Deny policy=Internal-Policy protocol=icmp src_ip=43.232.125.56 dst_ip=xxx.xxx.xxx.xxx src_intf= xxx.xxx.xxx.xxx dst_intf=FBX rc=101 pckt_len=124 ttl=59 3000-0148

    FWDeny Ipv4 source route record route attack pri=4 disp=Deny policy=Internal-Policy protocol=icmp src_ip=173.141.43.166 dst_ip=xxx.xxx.xxx.xxxx src_intf=xxx.xxx.xxx.xxx dst_intf=FBX rc=101 pckt_len=124 ttl=56 3000-0148

  • Interesting, we've seen this pattern recently but just in the past 6 days. It went on over 2 days 8/25 to 8/26 and stopped. Appears to be either a very old attack vector (script kiddie) or somebody has figured out a new approach to an old vector. 153 events on our main firewall during that time.

    Bruce - long time since we've spoken - how's life? Still snowbirding?

  • Meant to add this earlier.

    Possibly someone trying to exploit unpatched Windows systems (February 2021 update) CVE-2021-24074.

  • Alan Mercer lives!!!

  • Dang, Alan! Long time, no see! It's good to see that you are still kicking. Welcome back!

    Gregg Hill

Sign In to comment.