Re: Spoof attack

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 2 Jul 2002 07:17:21 -0700

More inline...
Also, take a look in your %ProgramFile%\Microsoft ISA
Server\ISALogs\IP...log  for the date/time that the event was recorded.
It might give you a hint in figuring out why this happened.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Lim, Arthus T." <alim@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 01, 2002 6:51 PM
Subject: [isalist] Re: Spoof attack


http://www.ISAserver.org


Here's my IPConfig /all

Windows 2000 IP Configuration
Hostname: Servername
Primary DNS Suffix ABC.com
Node Type Hybrid
IP Routing Enabled No
WINS Proxy Enabled No
DNS Suffix Search List ABC.com

Ethernet Adapter Local Area Connection 2
Connection Specific DNS Suffix
Physical Address 00-04-76-2F-B6-44
DHCP Enabled No
IP Address 192.168.0.z
Subnetmask 255.255.255.0
Default Gateway 192.1680.x
  -- drop this; there should be no gateway in the internal interface
DNS Servers 192.168.0.y
192.168.0.x

Ethernet Adapter Local Area Connection
Connection Specific DNS Suffix
Physical Address 00-E0-18-1E-82-04
DHCP Enabled No
IP Address 202.164.x.y
Subnetmask 255.255.255.z
Default Gateway 202.164.x.w
DNS Server 202.164.x.v
202.164.x.u
203.167.a.b

As for your first question, Im using the protocols at ISA.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, July 01, 2002 9:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Spoof attack

http://www.ISAserver.org


Inline...

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Lim, Arthus T." <alim@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 01, 2002 1:09 AM
Subject: [isalist] Re: Spoof attack


http://www.ISAserver.org


Here's my ISA configuration:

Packet Filters:

DNS Filter allow
ICMP Outbound allow
ICMP Ping Response (in) block
    -- not needed if you have packet filtering on
ICMP Source Quench allow
ICMP Timeout in allow
ICMP unreachable in allow
POP3 allow

  -- are you using these protocols at or behind the ISA?

Under General tab, enable packet filtering is checked, enable intrusion
detection is checked.

Under Intrusion detection tab, all are checked

Here's one Application Log Warning Message I got:

ISA server detected a spoof attack from Internet Protocol (IP) address
64.85.13.100.  A spoof attack occurs when an IP address that is not
reachable via the interface on which the packet was received.  If
logging for dropped packets is set, you can view details in the packet
filter log.

Hope you can help me with this.  Thanks

  -- I still need to see the ipconfig/all for the ISA server...

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, July 01, 2002 8:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Spoof attack

http://www.ISAserver.org


What does the ISA ipconfig/all look like?
Most often, this entry is caused by misconfigured interfaces.

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Lim, Arthus T." <alim@xxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, June 30, 2002 6:20 AM
Subject: [isalist] Spoof attack


http://www.ISAserver.org


When I enable the Packet Filtering Option,  the log says that I'm having
spoof attack and the users couldn't be able to use the internet.  What
should I do to prevent this?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
alim@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
alim@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Spoof attack
• » Re: Spoof attack
• » Re: Spoof attack
• » Re: Spoof attack
• » Re: Spoof attack
• » Re: Spoof attack
• » Re: Spoof attack

1. Home
2. isalist
3. Archive
4. 07-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---