Re: ISA Server detected a spoof attack

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 14 Jan 2004 13:58:57 -0800

Smartass...
;-)

I have that little toy.  I even had one for my old PalmIII until it finally 
died and forced me to buy a Toshiba e750.
Of course, there's a difference between having and using.
It was one of those time when you look and say "I know what that is" and get 
proven painfully wrong.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "cismic" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, January 14, 2004 13:21
Subject: [isalist] Re: ISA Server detected a spoof attack


http://www.ISAserver.org

Hi Jim,

Solar winds has a free subnet calculater.
http://www.purenetworking.net/Products/SolarWinds/SolarWindsSE.htm

Joseph
----- Original Message ----- 
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, January 14, 2004 1:14 PM
Subject: [isalist] Re: ISA Server detected a spoof attack


> http://www.ISAserver.org
>
> Don't feel bad; I had to eat a basic subnet miscalculation not too long
ago...
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
>
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 13:02
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
>
> http://www.ISAserver.org
>
> Yep, you're right. I transposed DNS and Default Gateway when I looked at
> them.
>
> Best Regards,
>
> Dan Bartley
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 14, 2004 15:45
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
> http://www.ISAserver.org
>
> Actually, that's not the case.
>
> internal     = 172.16.10/24
> external    = 172.16.2/24
> Cisco       = 172.16.10.168
>
> The log data states that the packet was sent from the Cisco to the ISA
> "external" NIC.
> 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,172.16.2.9
>
> According to the IP assignments, the Cisco is "internal", but the packet
> was received on the ISA external interface according to the
> log entry.  That's why I suggested a misplaced cable or broken VLAN.
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
>
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 12:20
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
>
> http://www.ISAserver.org
>
> Not necessarily. Is the Cisco on the same private subnet as the external
> NIC of ISA, and is that different from the private subnet being used by
> the internal ISA NIC?
>
> Could be set up as a second level defense behind the Cisco and a
> firewall. That would allow for a private IP on the external NIC.
>
> What I see below from his ipconfig/all seems to indicate that is the
> case.
>
> Best Regards,
>
> Dan Bartley
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 14, 2004 15:16
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
> http://www.ISAserver.org
>
> The fact that ISA is receiving traffic from an internal IP on the
> external NIC seems to hint that you have a cable misplaced or a
> VLAN is broken.
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
>
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 11:53
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
>
> http://www.ISAserver.org
>
> ISA's internal is on the .10 subnet just like the cisco box.  ISA's
> external is on the .2 subnet.  The external (2.9) is on a
> separate vlan, so it's virtually external.
> "Ethernet adapter Intranet:
>   Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : HPNC7781 Gigabit Server
> Adapter
>         Physical Address. . . . . . . . . : 00-0B-CD-82-2A-45
>         DHCP Enabled. . . . . . . . . . . : No
>         IP Address. . . . . . . . . . . . : 172.16.10.110
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
>         Default Gateway . . . . . . . . . :
>         DNS Servers . . . . . . . . . . . : 172.16.10.41
>                                             172.18.52.41
>         Primary WINS Server . . . . . . . : 172.16.10.41
>         Secondary WINS Server . . . . . . : 172.16.11.41
>
> Ethernet adapter Extranet:
>   Connection-specific DNS Suffix  . :
>         Description . . . . . . . . . . . : HPNC7781 Gigabit Server
> Adapter2
>         Physical Address. . . . . . . . . : 00-0B-CD-82-2A-6A
>         DHCP Enabled. . . . . . . . . . . : No
>         IP Address. . . . . . . . . . . . : 172.16.2.9
>         Subnet Mask . . . . . . . . . . . : 255.255.255.0
>         Default Gateway . . . . . . . . . : 172.16.2.20
>         DNS Servers . . . . . . . . . . . :
>         NetBIOS over Tcpip. . . . . . . . : Disabled"
>
>
> _______________________________________________
> Eric Poole
> IS Security Analyst
> Community Medical Centers
> 1140 "T" Street, Fresno, California 93721
> 559-459-6784 (phone) 559-459-2045 (fax)
>
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 14, 2004 11:33 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
> http://www.ISAserver.org
>
> What does the ISA "ipconfig/all" produce?
> It sounds like ISA doesn't really agree with you about what's internal.
>
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
>
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 10:32
> Subject: [isalist] ISA Server detected a spoof attack
>
>
> http://www.ISAserver.org
>
> I'm getting these about every half hour from our internal Cisco Works
> box (172.16.10.168).  The 2.9 address is the ISA external NIC
> that is routed through our PIX.  Any ideas?
>
> "ISA Server detected a spoof attack from Internet Protocol (IP) address
> 172.16.10.168. A spoof attack occurs when an IP address that
> is not reachable via the interface on which the packet was received. If
> logging for dropped packets is set, you can view details in
> the packet filter log."
>
> Here's a sample from the packet filter log.
>
> "1/13/2004, 20:43:17, 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,
> 172.16.2.9, 45 00 00 3c 20 74 00 00 7f 01 b6 7b ac 10 0a a8
> ac 10 02 09, 08 00 a1 b6 04 00 77 6e ad ad ad ad ad ad ad ad ad ..."
>
> _______________________________________________
> Eric Poole
> IS Security Analyst
> Community Medical Centers
> 1140 "T" Street, Fresno, California 93721
> 559-459-6784 (phone) 559-459-2045 (fax)
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> epoole@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bartleyd@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> bartleyd@xxxxxxxxxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack

1. Home
2. isalist
3. Archive
4. 01-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---