RE: Spoof Attack (Kelli Irwin)
- From: "cismic" <cismic@xxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 21 Aug 2001 14:23:42 -0700
If the ip address in xxx.xxx.xxx.xxx is an internal address then you
could have a DNS configuration issue.
Got to http://www.isaserver.org and select the message boards. Once at
the message boards issue a search and search for spoofs and dns.
Joseph
-----Original Message-----
From: Carlos Mauricio Perez Cortes [mailto:mauriciop@xxxxxxxxxxxx]
Sent: Tuesday, August 21, 2001 1:53 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] Spoof Attack (Kelli Irwin)
Importance: High
Hello Kelli,
I'm having exactly the same problem you're suffering. I sent 2 messages
to ISA Server discussion list but I didn't get a response.
CARLOS MAURICIO PEREZ C.
Soporte Técnico
<mailto:mauriciop@xxxxxxxxxxxx>
http://www.solosoft.com
SoloSoft Ltda.
AV. 9 No 126-30 OF. 703
(PBX: +57(1) - 523 09 90
ÊFAX: +57(1) - 523 09 80
ÈCEL: +57(1) - 325 53 18
BOGOTA, D.C. - COLOMBIA
-----Original Message-----
From: Kelli Irwin [mailto:kirwin@xxxxxxxxxxxxxxxxxxxxxx]
Sent: Martes 21 de Agosto de 2001 02:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Spoof Attack
http://www.ISAserver.org
Hi All,
I am relatively new to this "game" so please take it easy on me. :-)
I am getting almost endless Application Log Warning messages.
We will get these Application Event Log Warnings over several hours, as
few as 1 or 2 a minute and as many as 1 every second:
"ISA Server detected a spoof attack from Internet
Protocol (IP) address xxx.xxx.xxx.xxx.
A spoof attack occurs when an IP address that is not
reachable via the interface on which
the packet was received. If logging for dropped packets
is set, you can view details in
the packet filter log."
This sometimes causes an interruption of Internet service. If I try to
reach a Web Site the browser will error-out. When it does I will then
get this Application Event Log Error:
"The ISA Server services cannot create a packet filter
xxx.xxx.xxx.xxx.
This event occurs when there is a conflict between the
Local Address
Table (LAT) configuration and the Windows 2000 routing
table. Check
the routing table and the LAT to find the source of the
conflict."
The pattern is then that the Spoof messages will stop for a bit... then
the whole cycle will start over.
Could this be caused by our network being configured incorrectly? Are
there tools available that I can use to figure this out? Is this just a
plain ol' Spoof Attack?
I will add that we are running our own Exchange Server and also hosting
our own Web Site.
Any help will be appreciated.
Thanks,
Kelli M. Irwin
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mauriciop@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
