It's either: 1. backscatter from Nachi 2. script kiddies having fun ISA blocked it even though your ISP didn't. Bitch at them and otherwise be kewl; ISA is doing its job. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: <Jeff.Butte@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, November 06, 2003 08:55 Subject: [isalist] ISA Server alert: The IP packet source address is not valid. http://www.ISAserver.org I am hoping someone has run across this one before. I am a bit stymied at the moment and of course paranoid. I am supporting a small office that is randomly getting the following error. The frequency is starting to increase (every few hours, sometimes twice an hour) but not with any consistency. I cannot find any indicator that I can correlate it to either. ISA Server detected a spoof attack from Internet Protocol (IP) address 127.0.0.1. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log. The packet filter logs all show the source IP as 127.0.0.1 and destination as the external interface IP. The source port is always 80 and the destination is a random port (so far) above 1024. The server is hosting a web site and publishes a few things behind it (SMTP, POP3 SSH, WEBMAIL, ILS, LDAP) it has packet filters for VPN, MMS and functions as their H.323 gateway (yep... they are getting full functionality out of this product) * Several maintenance processes run, but nothing that should trigger the error. * Has updated antivirus and full scans are clean. * Anti trojan scans came up clean. * Nothing obvious in the registry. * No correlation from error to VPN clients. * No WINS entry on external NIC * No major config changes around the time this started. No changes were made the day the first error was recorded. Only changes prior were a new web publishing rule and publishing ssh. * No odd attacks in the packet filter logs (nothing more than usual) I am currently running netmon traces on the internal and external NIC, but I am not finding anything that stands out and nothing entered as the loopback address. I have been slowly turning off any non business critical functions and rules to try and isolate this, but so far... I will be rebuilt in a few months.. I was hoping not to have to accelerate that but... Any thoughts? - Jeff ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*