RE: [isalist] Re: Spoof Attack ?Again, the log details may help indicate why. The port isn't the issue; spoof attacks are source IP's that don't belong in the subnet it came in on. For instance, you might have someone using AIPA making NetBIOS requests (port 139). Can you detail your ISA deployment (IPs and such)? Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Thum Chee Weng, Ronnie To: [ISAserver.org Discussion List] Sent: Thursday, September 13, 2001 18:17 Subject: [isalist] Re: Spoof Attack ? http://www.ISAserver.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------------------------------------------------------------------------------ Hi, As mentioned, I know that all the source IP is from my internal network. In the log it mentioned port 139. I'm enquiring why is this happening ? - ronnie - MCP, MCP+I, MCSE -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Friday, September 14, 2001 8:56 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Spoof Attack ? http://www.ISAserver.org What is in the IP log for that same date/time? It'll tell you what the actual source IP was in the packet. Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: Thum Chee Weng ; Ronnie To: [ISAserver.org Discussion List] Sent: Thursday, September 13, 2001 17:31 Subject: [isalist] Spoof Attack ? http://www.ISAserver.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. hi, I'm getting a number of spoof attack alerts originating from my internal IP range. Can anybody help me to explain why ? - ronnie - MCP, MCP+I, MCSE -----Original Message----- From: ISASERVER [mailto:ISASERVER] Sent: None To: Thum Chee Weng, Ronnie Subject: ISA Server alert: The IP packet source address is not valid. ISA Server name: MY_ISA ISA Server detected a spoof attack from Internet Protocol (IP) address aaa.bbb.ccc.ddd. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log. ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rthum@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------------------------------ ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')