Re: ISA Server alert: The IP packet source address is not valid.
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 7 Nov 2003 08:22:05 -0800
It's either:
1. backscatter from Nachi
2. script kiddies having fun
ISA blocked it even though your ISP didn't.
Bitch at them and otherwise be kewl; ISA is doing its job.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: <Jeff.Butte@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, November 06, 2003 08:55
Subject: [isalist] ISA Server alert: The IP packet source address is not
valid.
http://www.ISAserver.org
I am hoping someone has run across this one before. I am a bit stymied at
the moment and of course paranoid. I am supporting a small office that is
randomly getting the following error. The frequency is starting to
increase (every few hours, sometimes twice an hour) but not with any
consistency. I cannot find any indicator that I can correlate it to
either.
ISA Server detected a spoof attack from Internet Protocol (IP) address
127.0.0.1. A spoof attack occurs when an IP address that is not reachable
via the interface on which the packet was received. If logging for dropped
packets is set, you can view details in the packet filter log.
The packet filter logs all show the source IP as 127.0.0.1 and destination
as the external interface IP. The source port is always 80 and the
destination is a random port (so far) above 1024.
The server is hosting a web site and publishes a few things behind it
(SMTP, POP3 SSH, WEBMAIL, ILS, LDAP) it has packet filters for VPN, MMS
and functions as their H.323 gateway (yep... they are getting full
functionality out of this product)
* Several maintenance processes run, but nothing that should trigger the
error.
* Has updated antivirus and full scans are clean.
* Anti trojan scans came up clean.
* Nothing obvious in the registry.
* No correlation from error to VPN clients.
* No WINS entry on external NIC
* No major config changes around the time this started. No changes were
made the day the first error was recorded. Only changes prior were a new
web publishing rule and publishing ssh.
* No odd attacks in the packet filter logs (nothing more than usual)
I am currently running netmon traces on the internal and external NIC, but
I am not finding anything that stands out and nothing entered as the
loopback address.
I have been slowly turning off any non business critical functions and
rules to try and isolate this, but so far...
I will be rebuilt in a few months.. I was hoping not to have to accelerate
that but...
Any thoughts?
- Jeff
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com
^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*
Other related posts:
