IP Spoofing help

  • From: Raji Arulambalam <rajia@xxxxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 4 Mar 2002 17:16:16 +1300 

Hi

I am getting the following events logged. The hosts named are all valid
internal/external  hosts.
The external NIC of the ISA server is bound with multiple valid IP#s
(Network 192.146.150.x).
Internal hosts have network numbers 192.168.x.x and 172.12.x.x. The ISA box
has static routes for the internal networks.

Can someone point me in a direction that I can check on whats gone wrong. I
have checked all our internal settings etc, but can see it. It could be
something simple that I have missed.

All help is appreciated.

Event Type:     Warning
Event Source:   Microsoft ISA Server Control
Event Category: Packet filter
Event ID:       15108
Date:           04/03/02
Time:           3:59:19 PM
User:           N/A
Computer:       CELERIS
Description:
ISA Server detected a spoof attack from Internet Protocol (IP) address
192.168.186.12. A spoof attack occurs when an IP address that is not
reachable via the interface on which the packet was received. If logging for
dropped packets is set, you can view details in the packet filter log. 
Data:
0000: 1f 00 00 00               ....    

3/4/2002, 15:45:57, 192.168.186.12, 192.146.150.70, Udp, 10809, 53, -,
BLOCKED, 192.146.150.3, -, -
3/4/2002, 15:45:58, 192.168.186.12, 192.146.150.70, Udp, 10809, 53, -,
BLOCKED, 192.146.150.3, -, -
3/4/2002, 15:46:00, 192.168.186.12, 192.146.150.70, Udp, 10809, 53, -,
BLOCKED, 192.146.150.3, -, -
3/4/2002, 15:46:02, 192.168.186.12, 192.146.150.70, Udp, 10809, 53, -,
BLOCKED, 192.146.150.3, -, -
3/4/2002, 15:46:06, 192.168.186.12, 192.146.150.70, Udp, 10809, 53, -,
BLOCKED, 192.146.150.3, -, -
3/4/2002, 15:46:15, 192.168.186.12, 192.146.150.100, Udp, 10812, 53, -,
Spoof, 192.146.150.3, -, -
3/4/2002, 15:46:16, 192.168.186.12, 192.146.150.100, Udp, 10812, 53, -,
Spoof, 192.146.150.3, -, -
3/4/2002, 15:46:17, 192.168.186.12, 192.146.150.100, Udp, 10812, 53, -,
Spoof, 192.146.150.3, -, -
3/4/2002, 15:46:19, 192.168.186.12, 192.146.150.100, Udp, 10812, 53, -,
Spoof, 192.146.150.3, -, -
3/4/2002, 15:46:23, 192.168.186.12, 192.146.150.100, Udp, 10812, 53, -,
Spoof, 192.146.150.3, -, -


---------------------------------------------
  Raji Arulambalam       
  Systems Administrator          
  Bay of Plenty REGIONAL Council 
  P O Box 364 Whakatane.
  NEW ZEALAND  
  Phone: 0800 ENV BOP (0800 368 267) +64 7 922 3390
  Fax:    0800 ENV FAX (0800 368 329) +64 7 922 3393
  http://envbop.govt.nz
--------------------------------------------
Bad style destroys an otherwise superb program.



******************************************************
This e-mail has been checked for viruses and no viruses were detected.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2002