RE: Port Scans

  • From: Steve Lunn <Steve.Lunn@xxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 16 Mar 2005 15:02:28 -0000

I would imagine it's IP Spoofing. I get quite a few of these in ISA2k, but
at least it tells
you that it's received the packet on the wrong interface and drops it.

Regards,
 
Steve
 
Steve Lunn - PC & Network Support
Microsoft MCP
DDI: 01423 855101
Fax: 01423 855181


-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: 16 March 2005 14:59
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Port Scans

http://www.ISAserver.org

Does anyone have an answer on this other than laughter?

-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: Tuesday, March 15, 2005 10:25
To: [ISAserver.org Discussion List]
Subject: [isalist] Port Scans

http://www.ISAserver.org

I get an lot of these alerts on my ISA2004 server:

ISA Server detected an all port scan attack from Internet Protocol (IP)
address xx.xx.xx.xx.

Normally, I just ignore these, as there isn't much I can do about
outside servers.  However, I've noticed a few of these with IP addresses
on our internal network, which has me concerned.  Whenever I see one of
these, I check every log I can think of, and don't find any other
indication of any activity other than the alert itself.  Even the
Firewall Log doesn't show any blocked packets during that time period.  

Do you think the IP address of the scanner is being spoofed? 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve.lunn@xxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Homeowners Group consists of Homeowners Friendly Society Limited (HFSL),
Registered and Incorporated under the Friendly Societies Act 1992, Reg. No.
964F, Homeowners Investment Fund Managers Limited (HIFML), Reg. No. 3224780,
Homeowners Financial Administration Limited (HFAL), Reg. No. 4301736,
Homeowners Membership Services Limited (HMSL), Reg. No. 3091667 and UK
Friendly Insurance Services Limited (UKFISL), Reg. No. 3088162, all
registered at Hornbeam Park Avenue, Harrogate. HG2  8XE. Tel: 01423 855000
Web: http://www.homeowners.co.uk 

HFSL and HIFML are both authorised and regulated by the Financial Services
Authority (FSA). HFSL's FSA Register no. is 110072, HIFML's FSA Register no.
is 181487. You can check this on the FSA's Register by visiting the FSA's
website http://www.fsa.gov.uk/register or by contacting the FSA on 0845 606
1234 

HFAL, HMSL and UKFISL are non-regulated limited companies. 

United Kingdom Civil Service Benefit Society (UKCSBS) and United Kingdom
Armed Forces Benefit Society (UKAFBS) are trading styles of Homeowners
Friendly Society Limited 

This e-mail is intended only for the person named as recipient. The contents
are confidential. If you are not the intended recipient of this e-mail,
please notify us as soon as possible and delete it. If you are not the
intended recipient of the e-mail, any use by you is prohibited.

Other related posts: