Re: Spoof Attack ?

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 13 Sep 2001 18:30:17 -0700

RE: [isalist] Re: Spoof Attack ?Again, the log details may help indicate why.
The port isn't the issue; spoof attacks are source IP's that don't belong in 
the subnet it came in on.
For instance, you might have someone using AIPA making NetBIOS requests (port 
139).

Can you detail your ISA deployment (IPs and such)?

Jim Harrison
MCP(2K), A+, Network+, PCG


  ----- Original Message ----- 
  From: Thum Chee Weng, Ronnie 
  To: [ISAserver.org Discussion List] 
  Sent: Thursday, September 13, 2001 18:17
  Subject: [isalist] Re: Spoof Attack ?


  http://www.ISAserver.org



  This message is in MIME format. Since your mail reader does not understand
  this format, some or all of this message may not be legible.



------------------------------------------------------------------------------


  Hi, 

  As mentioned, I know that all the source IP is from my internal network. 
  In the log it mentioned port 139. 

  I'm enquiring why is this happening ? 

  - ronnie - 
  MCP, MCP+I, MCSE 

  -----Original Message----- 
  From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
  Sent: Friday, September 14, 2001 8:56 AM 
  To: [ISAserver.org Discussion List] 
  Subject: [isalist] Re: Spoof Attack ? 



  http://www.ISAserver.org 



  What is in the IP log for that same date/time?  It'll tell you what the 
actual source IP was in the packet. 

  Jim Harrison 
  MCP(2K), A+, Network+, PCG 



  ----- Original Message ----- 
  From: Thum Chee Weng ; Ronnie 
  To: [ISAserver.org Discussion List] 
  Sent: Thursday, September 13, 2001 17:31 
  Subject: [isalist] Spoof Attack ? 



  http://www.ISAserver.org 




  This message is in MIME format. Since your mail reader does not understand 
  this format, some or all of this message may not be legible. 





  hi, 
  I'm getting a number of spoof attack alerts originating from my internal IP 
range. 
  Can anybody help me to explain why ? 
  - ronnie - 
  MCP, MCP+I, MCSE 
  -----Original Message----- 
  From: ISASERVER [mailto:ISASERVER] 
  Sent: None 
  To: Thum Chee Weng, Ronnie 
  Subject: ISA Server alert: The IP packet source address is not valid. 
  ISA Server name: MY_ISA 
  ISA Server detected a spoof attack from Internet Protocol (IP) address 
aaa.bbb.ccc.ddd. A spoof attack occurs when an IP address that is not reachable 
via the interface on which the packet was received. If logging for dropped 
packets is set, you can view details in the packet filter log.




  ------------------------------------------------------ 
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx 
  To unsubscribe send a blank email to $subst('Email.Unsub') 

  ------------------------------------------------------ 
  You are currently subscribed to this ISAserver.org Discussion List as: 
rthum@xxxxxxxxxxxxxxxxxx 
  To unsubscribe send a blank email to $subst('Email.Unsub') 



------------------------------------------------------------------------------


  ------------------------------------------------------
  You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
  To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2001