Re: ISA Server detected a spoof attack

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 16 Jan 2004 07:27:40 -0800

As my dear departed Mama used to say, "better a smartass than a dumbass..."

Regarding your SUS deployment, my question is "why?"
If a DMZ host needs to get to it, web-publish it to the DMZ.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "cismic" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, January 15, 2004 10:40
Subject: [isalist] Re: ISA Server detected a spoof attack


http://www.ISAserver.org

Hi Jim,
Nope, My mother only raised throughbreds! lol

Any way,  hey I've finally got well at least most of my new machines in
place.  I've been replace old boxes with new ones and of course that means
installing software all over again.

I run a back to back setup and am wondering if it is a good idea to place
the SUS machine in the DMZ.

Thank you,

Joseph
----- Original Message ----- 
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, January 14, 2004 1:58 PM
Subject: [isalist] Re: ISA Server detected a spoof attack


> http://www.ISAserver.org
>
> Smartass...
> ;-)
>
> I have that little toy.  I even had one for my old PalmIII until it
finally died and forced me to buy a Toshiba e750.
> Of course, there's a difference between having and using.
> It was one of those time when you look and say "I know what that is" and
get proven painfully wrong.
>
>  Jim Harrison
>  MCP(NT4, W2K), A+, Network+, PCG
>  http://www.microsoft.com/isaserver
>  http://isaserver.org/Jim_Harrison
>  http://isatools.org
>
>  Read the help, books and articles!
> ----- Original Message ----- 
> From: "cismic" <cismic@xxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 13:21
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
>
> http://www.ISAserver.org
>
> Hi Jim,
>
> Solar winds has a free subnet calculater.
> http://www.purenetworking.net/Products/SolarWinds/SolarWindsSE.htm
>
> Joseph
> ----- Original Message ----- 
> From: "Jim Harrison" <jim@xxxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, January 14, 2004 1:14 PM
> Subject: [isalist] Re: ISA Server detected a spoof attack
>
>
> > http://www.ISAserver.org
> >
> > Don't feel bad; I had to eat a basic subnet miscalculation not too long
> ago...
> >
> >  Jim Harrison
> >  MCP(NT4, W2K), A+, Network+, PCG
> >  http://www.microsoft.com/isaserver
> >  http://isaserver.org/Jim_Harrison
> >  http://isatools.org
> >
> >  Read the help, books and articles!
> > ----- Original Message ----- 
> > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, January 14, 2004 13:02
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> >
> > http://www.ISAserver.org
> >
> > Yep, you're right. I transposed DNS and Default Gateway when I looked at
> > them.
> >
> > Best Regards,
> >
> > Dan Bartley
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 14, 2004 15:45
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> > http://www.ISAserver.org
> >
> > Actually, that's not the case.
> >
> > internal     = 172.16.10/24
> > external    = 172.16.2/24
> > Cisco       = 172.16.10.168
> >
> > The log data states that the packet was sent from the Cisco to the ISA
> > "external" NIC.
> > 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,172.16.2.9
> >
> > According to the IP assignments, the Cisco is "internal", but the packet
> > was received on the ISA external interface according to the
> > log entry.  That's why I suggested a misplaced cable or broken VLAN.
> >
> >  Jim Harrison
> >  MCP(NT4, W2K), A+, Network+, PCG
> >  http://www.microsoft.com/isaserver
> >  http://isaserver.org/Jim_Harrison
> >  http://isatools.org
> >
> >  Read the help, books and articles!
> > ----- Original Message ----- 
> > From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, January 14, 2004 12:20
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> >
> > http://www.ISAserver.org
> >
> > Not necessarily. Is the Cisco on the same private subnet as the external
> > NIC of ISA, and is that different from the private subnet being used by
> > the internal ISA NIC?
> >
> > Could be set up as a second level defense behind the Cisco and a
> > firewall. That would allow for a private IP on the external NIC.
> >
> > What I see below from his ipconfig/all seems to indicate that is the
> > case.
> >
> > Best Regards,
> >
> > Dan Bartley
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 14, 2004 15:16
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> > http://www.ISAserver.org
> >
> > The fact that ISA is receiving traffic from an internal IP on the
> > external NIC seems to hint that you have a cable misplaced or a
> > VLAN is broken.
> >
> >  Jim Harrison
> >  MCP(NT4, W2K), A+, Network+, PCG
> >  http://www.microsoft.com/isaserver
> >  http://isaserver.org/Jim_Harrison
> >  http://isatools.org
> >
> >  Read the help, books and articles!
> > ----- Original Message ----- 
> > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, January 14, 2004 11:53
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> >
> > http://www.ISAserver.org
> >
> > ISA's internal is on the .10 subnet just like the cisco box.  ISA's
> > external is on the .2 subnet.  The external (2.9) is on a
> > separate vlan, so it's virtually external.
> > "Ethernet adapter Intranet:
> >   Connection-specific DNS Suffix  . :
> >         Description . . . . . . . . . . . : HPNC7781 Gigabit Server
> > Adapter
> >         Physical Address. . . . . . . . . : 00-0B-CD-82-2A-45
> >         DHCP Enabled. . . . . . . . . . . : No
> >         IP Address. . . . . . . . . . . . : 172.16.10.110
> >         Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >         Default Gateway . . . . . . . . . :
> >         DNS Servers . . . . . . . . . . . : 172.16.10.41
> >                                             172.18.52.41
> >         Primary WINS Server . . . . . . . : 172.16.10.41
> >         Secondary WINS Server . . . . . . : 172.16.11.41
> >
> > Ethernet adapter Extranet:
> >   Connection-specific DNS Suffix  . :
> >         Description . . . . . . . . . . . : HPNC7781 Gigabit Server
> > Adapter2
> >         Physical Address. . . . . . . . . : 00-0B-CD-82-2A-6A
> >         DHCP Enabled. . . . . . . . . . . : No
> >         IP Address. . . . . . . . . . . . : 172.16.2.9
> >         Subnet Mask . . . . . . . . . . . : 255.255.255.0
> >         Default Gateway . . . . . . . . . : 172.16.2.20
> >         DNS Servers . . . . . . . . . . . :
> >         NetBIOS over Tcpip. . . . . . . . : Disabled"
> >
> >
> > _______________________________________________
> > Eric Poole
> > IS Security Analyst
> > Community Medical Centers
> > 1140 "T" Street, Fresno, California 93721
> > 559-459-6784 (phone) 559-459-2045 (fax)
> >
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 14, 2004 11:33 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Re: ISA Server detected a spoof attack
> >
> > http://www.ISAserver.org
> >
> > What does the ISA "ipconfig/all" produce?
> > It sounds like ISA doesn't really agree with you about what's internal.
> >
> >
> >  Jim Harrison
> >  MCP(NT4, W2K), A+, Network+, PCG
> >  http://www.microsoft.com/isaserver
> >  http://isaserver.org/Jim_Harrison
> >  http://isatools.org
> >
> >  Read the help, books and articles!
> > ----- Original Message ----- 
> > From: "Eric Poole" <EPoole@xxxxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, January 14, 2004 10:32
> > Subject: [isalist] ISA Server detected a spoof attack
> >
> >
> > http://www.ISAserver.org
> >
> > I'm getting these about every half hour from our internal Cisco Works
> > box (172.16.10.168).  The 2.9 address is the ISA external NIC
> > that is routed through our PIX.  Any ideas?
> >
> > "ISA Server detected a spoof attack from Internet Protocol (IP) address
> > 172.16.10.168. A spoof attack occurs when an IP address that
> > is not reachable via the interface on which the packet was received. If
> > logging for dropped packets is set, you can view details in
> > the packet filter log."
> >
> > Here's a sample from the packet filter log.
> >
> > "1/13/2004, 20:43:17, 172.16.10.168, 172.16.2.9, ICMP, 8, 0, -, BLOCKED,
> > 172.16.2.9, 45 00 00 3c 20 74 00 00 7f 01 b6 7b ac 10 0a a8
> > ac 10 02 09, 08 00 a1 b6 04 00 77 6e ad ad ad ad ad ad ad ad ad ..."
> >
> > _______________________________________________
> > Eric Poole
> > IS Security Analyst
> > Community Medical Centers
> > 1140 "T" Street, Fresno, California 93721
> > 559-459-6784 (phone) 559-459-2045 (fax)
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > epoole@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > bartleyd@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > bartleyd@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> cismic@xxxxxxx
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack
• » Re: ISA Server detected a spoof attack

1. Home
2. isalist
3. Archive
4. 01-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---