Strange traffic log entry involving the DoD?
I recently put in (a couple of months ago) a couple of Netscreen 25 firewalls. A very rudimentary setup with a NAT to a private subnet and NSRP-Lite running.
A complaint was brought to me this morning that browsing the web was a little slow. I started browsing through the traffic logs in the web interface and found nothing abnormal at first. I set the screen to display 100 entries at a time, then when I scrolled to the bottom of my screen, I saw this (formatted to fit this forum):
Date/Time 2007-08-27 15:57:05 (changes with each refresh)
Source 6.x.x.x:5672 (DoD NIC IP#1)
Destination 6.x.x.x:771 (DoD NIC IP IP#2)
Translated source 6.x.x.x:89 (DoD NIC IP IP#1)
Translated dest. 64.105.x.x:56884 (a Covad owned IP address)
Service IP PROTOCOL 105
Duration 6914240 sec.
Bytes sent 50528328
Bytes received 5902516
This entry that dated in the future, appears at the bottom of every one of the following screens for my log. Not only is the date set in the future, but if I refresh, the date continually changes with each refresh.
The source and translated source IPs remain the same with each refresh, however the source IP’s port would change.
The destination IP and port changes with each refresh.
The translated destination IP and port remains the same. While this IP is a Covad owned IP address, all the others appear to be in the 6.x.x.x block of addresses, which is owned by the Department of Defense.
Has anyone else seen this before? I’m not sure what to make of it. I’m thinking (hoping) that it’s a bug.
We have seen the same issue on many FW’s in production. Though most of the time, the source / destination IP’s and ports are unintelligible.
5.3.0r3.0 is due out end of March.
Oh well… I received a response from JTAC. I’m posting it here for anyone else who may have this really odd issue in the future.
“After discussing this issue with tier 2, it was brought to my attention that is a bug that engineering is already aware of. This is slated for fix in an upcomming release (5.3.0r3)”
Also, I have been running a sniffer on that same leg and I haven’t found that odd traffic which (I guess) confirms that it’s a bug with the Netscreen.
PM me for a phone number I have if you can’t get to anyone there.
Thanks for the reply…
Adding another oddity… I just searched all the traffic logs that are regularly e-mailed to me from the Netscreen, and I couldn’t find any trace of the entries I had noted above. They still appear on the Netscreen Web interface though, but again only if I set it to “List 100 per page”.
Can you tell where the traffic is coming from on your network? IP Protocol 105 is SCPS, which I believe is a protocol to encapsulate serial data in IP.
Contact the NOC at http://www.disa.mil, they handle the internet access and some of the security for the DoD. I had another number around here which was a line into the Pentagon for network security issues, but I cannot find it. You should at least alert DISA to what you are seeing so they can investigate it.
Save all of your logs for them.
Forgot to mention… this entry (entries) was in my Trust(any) -> Untrust(any) policy traffic log. I never cared for restricting traffic from trust to untrust, but I suppose I should now. :?