From my limited understanding of ISA server these messages mean that you don't have a real problem because the server is doing what it is suppose to do. It is stopping the attack, or blocking them. If it were not you would not get these alerts. As to how they work you need to get to some hacking sites and do some serious reading. Matt Kopf -----Original Message----- From: Carlos Mauricio Perez Cortes [mailto:mauriciop@xxxxxxxxxxxx] Sent: Wednesday, August 15, 2001 3:11 PM To: [ISAserver.org Discussion List] Subject: Urgent Help!!! Problems with IpHalfScan and Spoofing Attacks :o( Importance: High Hello Friends, I have been checking my ISA Server log files because I'm receiving a lot of alerts about IP Spoofing and IP Half Scan Attacks. I found the following suspicious entries in a log file called IPPEXTD20010814: #Fields: date time source-ip destination-ip protocol param#1 param#2 tcp-flags filter-rule interface ip-header payload 14/08/2001 20:58:41 128.2.24.41 200.14.207.98 Tcp 21 21 FIN SYN IpHalfScan 200.14.207.98 45 00 00 28 9a 02 00 00 1c 06 d5 31 80 02 18 29 c8 0e cf 62 00 15 00 15 6b 4a b1 1f 71 44 96 13 50 03 04 04 58 55 00 00 14/08/2001 22:09:57 200.14.207.98 200.14.207.98 ICMP 8 0 - Spoof 200.14.207.98 45 00 00 3c 7d 36 00 00 7b 01 93 a8 c8 0e cf 62 c8 0e cf 62 08 00 2c 5c 01 00 20 00 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 Could you help me to understand that entries ?? Could you explain me how these attacks work ?? How can I block these attacks ?? Thanks for your help, CARLOS MAURICIO PEREZ C. Technical Support s: mauriciop@xxxxxxxxxxxx <mailto:mauriciop@xxxxxxxxxxxx> SoloSoft Ltda.