Solved

firewall hole punching

Posted on 2013-05-15
8
434 Views
Last Modified: 2013-08-02
Hi,
It appears someone is punching through my firewall via UPD.  We don't use port randomization.

Does anyone know how this is dealt with by firewall manufactures?   We are currently using IPTables and wondering if a purchased solution would solve this.  Thanks.

Thanks.
0
Comment
Question by:NYGiantsFan
  • 3
  • 2
8 Comments
 
LVL 3

Expert Comment

by:dbaideme
ID: 39169402
Really need further information. What traffic are you allowing in?

Are you positive a system inside the network has not been compromised and is initiating the connection?

How are you seeing the UDP connection/traffic?
0
 
LVL 61

Expert Comment

by:gheist
ID: 39180693
What kind of firewall?
Can you show log message pointing to rule that is expected to block named traffic?
UpNp ?
0
 

Author Comment

by:NYGiantsFan
ID: 39205755
I am seeing the UDP packet from an IDs.  The ids alert indicates that the packet is originating from an external IP address and the destination is a private IP (10.16.0.3).

My guess is that they are shooting the packet through the external IP address and a selected port.

The firewall is IPtables.  I don't think anything is being blocked.  I do not have a copy of the IPtables config file.  (Network team is being difficult and living in denial)

Any insight you have would be great.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 39206932
They can hardly route RFC 1918 network over internet.
You should filter those networks (drop) at border all ways possible.
Most likely it already passed nat, e.g somebody runs bittorrent client, that sends UDP out and NAT gets response UDP back.
0
 

Author Comment

by:NYGiantsFan
ID: 39207832
Sorry, I don't understand what you mean by "They can hardly route RFC 1918 network over the internet".


I think what is happening is they are firing packets into the external IP address through a port (maybe they are guessing) and it is being translated by the NAT into local IP address.
0
 
LVL 61

Expert Comment

by:gheist
ID: 39211946
No way packets destined to 10/8 get over internet to you.
If your firewall opens listeners on all ports  like that it is seriously flawed (maybe made in 1996, butnot after)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now