Well, if the IP address is outside your network and not from any IP that's supposed to be communicating with you then "yes" you're getting attacked. You can get scan and half-scan "attacks" from DNS servers that aren't really attacking you but I've not come across anything producing a false spoof. Of course, I'm probably wrong... Tom? Paul Stratford Systems Manager PI Global/PI Design > ---------- > From: Kelli Irwin > Reply To: [ISAserver.org Discussion List] > Sent: Tuesday, August 21, 2001 8:10 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Spoof Attack > > http://www.ISAserver.org > > > Hi All, > > I am relatively new to this "game" so please take it easy on me. :-) > I am getting almost endless Application Log Warning messages. > > We will get these Application Event Log Warnings over several hours, as > few as 1 or 2 a minute and as many as 1 every second: > > "ISA Server detected a spoof attack from Internet > Protocol (IP) address xxx.xxx.xxx.xxx. > A spoof attack occurs when an IP address that is not > reachable via the interface on which > the packet was received. If logging for dropped packets > is set, you can view details in > the packet filter log." > > > This sometimes causes an interruption of Internet service. If I try to > reach a Web Site the browser will error-out. When it does I will then > get this Application Event Log Error: > > "The ISA Server services cannot create a packet filter > xxx.xxx.xxx.xxx. > This event occurs when there is a conflict between the > Local Address > Table (LAT) configuration and the Windows 2000 routing > table. Check > the routing table and the LAT to find the source of the > conflict." > > The pattern is then that the Spoof messages will stop for a bit... then > the whole cycle will start over. > > Could this be caused by our network being configured incorrectly? Are > there tools available that I can use to figure this out? Is this just a > plain ol' Spoof Attack? > I will add that we are running our own Exchange Server and also hosting > our own Web Site. > > Any help will be appreciated. > > Thanks, > > Kelli M. Irwin > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > paul@xxxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') > >