You might also want to check that the Local Address Table is configured correctly. John Watson. > If the ip address in xxx.xxx.xxx.xxx is an internal address then you > could have a DNS configuration issue. =20 > > Got to http://www.isaserver.org and select the message boards. Once at > the message boards issue a search and search for spoofs and dns. > > > Joseph > > > > > -----Original Message----- > From: Carlos Mauricio Perez Cortes [mailto:mauriciop@xxxxxxxxxxxx]=20 > Sent: Tuesday, August 21, 2001 1:53 PM > To: [ISAserver.org Discussion List] > Subject: RE: [isalist] Spoof Attack (Kelli Irwin) > Importance: High > > Hello Kelli, > > I'm having exactly the same problem you're suffering. I sent 2 messages > to ISA Server discussion list but I didn't get a response. > > CARLOS MAURICIO PEREZ C.=20 > Soporte T=E9cnico > <mailto:mauriciop@xxxxxxxxxxxx>=20 > http://www.solosoft.com > SoloSoft Ltda.=20 > AV. 9 No 126-30 OF. 703=20 > (PBX: +57(1) - 523 09 90=20 > =CAFAX: +57(1) - 523 09 80 > =C8CEL: +57(1) - 325 53 18 > BOGOTA, D.C. - COLOMBIA > > > -----Original Message----- > From: Kelli Irwin [mailto:kirwin@xxxxxxxxxxxxxxxxxxxxxx] > Sent: Martes 21 de Agosto de 2001 02:11 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] Spoof Attack > > > http://www.ISAserver.org > > > Hi All, > > I am relatively new to this "game" so please take it easy on me. :-) > I am getting almost endless Application Log Warning messages. > =09 > We will get these Application Event Log Warnings over several hours, as > few as 1 or 2 a minute and as many as 1 every second: > =09 > "ISA Server detected a spoof attack from Internet > Protocol (IP) address xxx.xxx.xxx.xxx.=20 > A spoof attack occurs when an IP address that is not > reachable via the interface on which=20 > the packet was received. If logging for dropped packets > is set, you can view details in=20 > the packet filter log." > > > This sometimes causes an interruption of Internet service. If I try to > reach a Web Site the browser will error-out. When it does I will then > get this Application Event Log Error: > > "The ISA Server services cannot create a packet filter > xxx.xxx.xxx.xxx.=20 > This event occurs when there is a conflict between the > Local Address=20 > Table (LAT) configuration and the Windows 2000 routing > table. Check=20 > the routing table and the LAT to find the source of the > conflict." > > The pattern is then that the Spoof messages will stop for a bit... then > the whole cycle will start over. > > Could this be caused by our network being configured incorrectly? Are > there tools available that I can use to figure this out? Is this just a > plain ol' Spoof Attack? > I will add that we are running our own Exchange Server and also hosting > our own Web Site. > > Any help will be appreciated. > > Thanks, > > Kelli M. Irwin > > > > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > mauriciop@xxxxxxxxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub')