RE: Spoof Attack

• From: Paul@xxxxxxxxxxxxx
• To: isalist@xxxxxxxxxxxxx
• Date: Tue, 21 Aug 2001 20:41:37 +0100

Well, if the IP address is outside your network and not from any IP that's
supposed to be communicating with you then "yes" you're getting attacked.
You can get scan and half-scan "attacks" from DNS servers that aren't really
attacking you but I've not come across anything producing a false spoof.

Of course, I'm probably wrong... Tom?

Paul Stratford
Systems Manager
PI Global/PI Design

> ----------
> From:         Kelli Irwin
> Reply To:     [ISAserver.org Discussion List]
> Sent:         Tuesday, August 21, 2001 8:10 PM
> To:   [ISAserver.org Discussion List]
> Subject:      [isalist] Spoof Attack
> 
> http://www.ISAserver.org
> 
> 
> Hi All,
> 
> I am relatively new to this "game" so please take it easy on me.  :-)
> I am getting almost endless Application Log Warning messages.
>       
> We will get these Application Event Log Warnings over several hours, as
> few as 1 or 2 a minute and as many as 1 every second:
>               
>               "ISA Server detected a spoof attack from Internet
> Protocol (IP) address xxx.xxx.xxx.xxx. 
>               A spoof attack occurs when an IP address that is not
> reachable via the interface on which 
>               the packet was received. If logging for dropped packets
> is set, you can view details in 
>               the packet filter log."
> 
> 
> This sometimes causes an interruption of Internet service.  If I try to
> reach a Web Site the browser will error-out.  When it does I will then
> get this Application Event Log Error:
> 
>               "The ISA Server services cannot create a packet filter
> xxx.xxx.xxx.xxx. 
>               This event occurs when there is a conflict between the
> Local Address 
>               Table (LAT) configuration and the Windows 2000 routing
> table. Check 
>               the routing table and the LAT to find the source of the
> conflict."
> 
> The pattern is then that the Spoof messages will stop for a bit... then
> the whole cycle will start over.
> 
> Could this be caused by our network being configured incorrectly?  Are
> there tools available that I can use to figure this out?  Is this just a
> plain ol' Spoof Attack?
> I will add that we are running our own Exchange Server and also hosting
> our own Web Site.
> 
> Any help will be appreciated.
> 
> Thanks,
> 
> Kelli M. Irwin
> 
> 
> 
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> paul@xxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
> 

Other related posts:

• » Spoof Attack
• » Re: Spoof Attack
• » RE: Spoof Attack
• » Spoof Attack
• » Re: Spoof Attack
• » Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » Spoof Attack
• » RE: Spoof Attack
• » RE: Spoof Attack
• » Spoof Attack ?
• » Re: Spoof Attack ?
• » Re: Spoof Attack ?
• » Re: Spoof Attack ?
• » Re: Spoof Attack ?

1. Home
2. isalist
3. Archive
4. 08-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---