If the ip address in xxx.xxx.xxx.xxx is an internal address then you could have a DNS configuration issue. Got to http://www.isaserver.org and select the message boards. Once at the message boards issue a search and search for spoofs and dns. Joseph -----Original Message----- From: Carlos Mauricio Perez Cortes [mailto:mauriciop@xxxxxxxxxxxx] Sent: Tuesday, August 21, 2001 1:53 PM To: [ISAserver.org Discussion List] Subject: RE: [isalist] Spoof Attack (Kelli Irwin) Importance: High Hello Kelli, I'm having exactly the same problem you're suffering. I sent 2 messages to ISA Server discussion list but I didn't get a response. CARLOS MAURICIO PEREZ C. Soporte Técnico <mailto:mauriciop@xxxxxxxxxxxx> http://www.solosoft.com SoloSoft Ltda. AV. 9 No 126-30 OF. 703 (PBX: +57(1) - 523 09 90 ÊFAX: +57(1) - 523 09 80 ÈCEL: +57(1) - 325 53 18 BOGOTA, D.C. - COLOMBIA -----Original Message----- From: Kelli Irwin [mailto:kirwin@xxxxxxxxxxxxxxxxxxxxxx] Sent: Martes 21 de Agosto de 2001 02:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] Spoof Attack http://www.ISAserver.org Hi All, I am relatively new to this "game" so please take it easy on me. :-) I am getting almost endless Application Log Warning messages. We will get these Application Event Log Warnings over several hours, as few as 1 or 2 a minute and as many as 1 every second: "ISA Server detected a spoof attack from Internet Protocol (IP) address xxx.xxx.xxx.xxx. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log." This sometimes causes an interruption of Internet service. If I try to reach a Web Site the browser will error-out. When it does I will then get this Application Event Log Error: "The ISA Server services cannot create a packet filter xxx.xxx.xxx.xxx. This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict." The pattern is then that the Spoof messages will stop for a bit... then the whole cycle will start over. Could this be caused by our network being configured incorrectly? Are there tools available that I can use to figure this out? Is this just a plain ol' Spoof Attack? I will add that we are running our own Exchange Server and also hosting our own Web Site. Any help will be appreciated. Thanks, Kelli M. Irwin ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mauriciop@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')