So what do I must to do in this situation ? Best Regards Andrey Silkin -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, October 29, 2003 5:20 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Well known scan-attack http://www.ISAserver.org This is a common script kiddie tool. It's designed to send your machine into a death-spiral of self-referencing responses, since the source and destination IPs will always alternate between the local machine (127.0.0.1 and your external IP). ISA blocks it as spoofed, since it was received on a network interface. 127.0.0.1 is invalid except in the memory-mapped network inside the machine. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Wed, 29 Oct 2003 13:52:27 +0300 "Andrey Silkin" <silkin@xxxxxx> wrote: http://www.ISAserver.org Hi all ! I Some days ago I have received strange notification : ISA Server detected a well-known port scan attack from Internet Protocol (IP) address 127.0.0.1. A well-known port is any port in the range of 1-2048. I don't understand how can it be ? 127.0.0.1 - is the local private address ! It is impossible that somebody scaned my my server from himself . Did somebody have the same notification ? Best Regards Andrey Silkin ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: silkin@xxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')