1

My firewall (Juniper SRX) caught outbound flows using vulnerable ports that are known to be used for things like Trojans, Windows Backdoor, and NHL 2013. One thing that looks odd is the flows are using ICMP protocol. This has been ongoing a few times everyday.

I am running an updated Squid Proxy on Ubuntu 16.04. Automatic updates are disabled and the host-based firewall has a default deny inbound/outbound with only Port 80 to specific IP's allowed outbound. Before I grab my baseball bat, can anybody explain or confirm the Squid behavior? or Ubuntu background behavior related to HTTP traffic?

Below is a copy of the flow sessions for one day, IPs have been obscured except for the Ubuntu mirrors (91.189.x.x). If you match up the timestamps you can see that there was a denied session every time a permitted session was created. I was not running any updates or generating HTTP traffic from the hosts on this day which makes me wonder what Ubuntu is doing in the background.

IP Addresses

8.8.8.8 = Public IP Gateway
10.1.1.1 = Squid Proxy (RFC1918 using source NAT --> 8.8.8.8)
192.168.1.1 = Host
192.168.1.2 = Host
192.168.1.3 = Host

DENIED FLOWS

Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1024->91.189.91.23/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1280->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_DENY: session denied 10.1.1.1/1536->91.189.91.26/42518 0x0 icmp 1(8) deny vlan1 uplink UNKNOWN UNKNOWN N/A(N/A) irb.420 UNKNOWN policy deny

PERMITTED FLOWS

Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.1/60542->10.1.1.1/3128 0x0 None 192.168.1.1/60542->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan2 vlan1 42568 N/A(N/A) irb.888 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.1/60544->10.1.1.1/3128 0x0 None 192.168.1.1/60544->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan2 vlan1 31115 N/A(N/A) irb.888 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/49848->91.189.91.23/80 0x0 junos-http 8.8.8.8/14971->91.189.91.23/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 42939 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 03:53:37  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/44144->91.189.88.161/80 0x0 junos-http 8.8.8.8/6230->91.189.88.161/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 51879 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.2/40484->10.1.1.1/3128 0x0 None 192.168.1.2/40484->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan3 vlan1 2335 N/A(N/A) irb.999 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.2/40486->10.1.1.1/3128 0x0 None 192.168.1.2/40486->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan3 vlan1 2911 N/A(N/A) irb.999 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/60168->91.189.88.152/80 0x0 junos-http 8.8.8.8/8175->91.189.88.152/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 36604 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 08:06:20  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/55918->91.189.91.26/80 0x0 junos-http 8.8.8.8/15149->91.189.91.26/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 35417 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49654->10.1.1.1/3128 0x0 None 192.168.1.3/49654->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 34295 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49656->10.1.1.1/3128 0x0 None 192.168.1.3/49656->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 27823 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 192.168.1.3/49658->10.1.1.1/3128 0x0 None 192.168.1.3/49658->10.1.1.1/3128 0x0 N/A N/A N/A N/A 6 permit-squid vlan4 vlan1 51168 N/A(N/A) irb.777 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/55920->91.189.91.26/80 0x0 junos-http 8.8.8.8/12063->91.189.91.26/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 42058 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/45708->91.189.88.162/80 0x0 junos-http 8.8.8.8/24070->91.189.88.162/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 61718 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Oct 15 10:46:47  firewall RT_FLOW: RT_FLOW_SESSION_CREATE: session created 10.1.1.1/45710->91.189.88.162/80 0x0 junos-http 8.8.8.8/27295->91.189.88.162/80 0x0 source rule r1 N/A N/A 6 permit-http vlan1 uplink 23309 N/A(N/A) irb.420 UNKNOWN UNKNOWN UNKNOWN
Kev
  • 74
  • 8
  • Any process can use any port above 1024 for any purpose. The various services listed for ports are "by convention." They are gentlemen's agreements that most programs try to adhere to but are not enforcable in any way. I wouldn't jump to the conclusion that the traffic is malicious based solely on the port number. – DocSalvager Oct 21 '17 at 01:32
  • I understand that the registered port range starts at 1024. Can anybody confirm that squid proxy will try to ping destination hosts on one of these ports before sending traffic? – Kev Nov 04 '17 at 21:32
  • I would test with some packet captures but I shutdown my proxy server to isolate my hosts. I also turned off apt update-package-lists on one of the hosts to confirm if that was generating the unknown HTTP traffic. – Kev Nov 04 '17 at 21:40

0 Answers0