This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
‎2023-06-25 09:37 AM

Same source and destination (GW only) Invalid TCP flag combination (Mailformed Packet)

Dear Team,

Query 1: is this a default protection (Part of the access control policy) ?

Query 2: Why does GW send traffic to its own using Mgmt Port?

Query 3: What is the impact ?

Attack Name: Mailformed Packet
Attack Information: Invalid TCP flag combination
Protection Type: Protocol Animaly
Performance Impact: Very Low
Confidence Level: High
Severity:Medium
Industry reference: CAN-2002-1071
tcp_flags:PUSH-URG
Interface: Mgmt
interface Direction: Inbound
SRC IP: GW (10.10.10.2)
DST IP:GW (10.10.10.2)
Service: TCP/46039 (Destination Port)
Protocol: TCP (6) (6)
Threat Profile: No_protection_503******
Action: Detect

 

CP_FW_to_FW.jpeg

 

 

 

 

0 Kudos
4 Replies
Chinmaya_Naik
Advisor
‎2023-06-26 05:16 AM

DearCheckmates Team,

Please help me to clarify .

@Chinmaya_Naik 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-06-26 05:40 AM

This is part of the "Packet Sanity" protection in the "Inspection Settings" which are part of the Access Control policy and not Threat Prevention.

My initial take was that this is some kind of interprocess communication on the firewall using ephemeral ports that should have used the loopback/127.0.0.1 interface but used its own Mgmt interface instead.  The protection presumably doesn't like that the TCP flags PSH and URG are set but there is no ACK flag set.  It is not clear to me if this packet was originated by the firewall itself, or is some kind of spoofed packet coming in from the network.  Perhaps others can chime in.

Attend my 60-minute "Be your Own TAC: Part Deux" Presentation
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
0 Kudos
Lloyd_Braun
Collaborator
‎2023-06-26 10:57 AM

I have seen these packets when a host tries to connect to the same hide NAT address that it is being hide NATted behind. I think it was iPhones trying to connect to each other when I saw it "in the wild."   You may be able to hunt down the original request by matching the destination port with the original post nat source port. *this is assuming you are hide NATting traffic behind your gateway's IP address

0 Kudos
Chinmaya_Naik
Advisor
‎2023-06-29 11:16 PM
In response to Lloyd_Braun

@Lloyd_Braun 

Thanks for the update.

Please clarify more on this.

As per the logs, Gateway is the source and destination also.

Service: TCP/46039 (Destination Port) which is not a registered port. 

As per @Timothy_Hall Sir it's using the Mgmt port which is a question.

I ran the  TCPDUMP with that PORT but no traffic.

Looks like it's one time log generated a few days back.

@Chinmaya_Naik 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events