Firewall Wizards mailing list archives
Wayyy too many spoofed packets
From: "Chris de Vidal" <chris () devidal tv>
Date: Fri, 21 Nov 2003 10:27:36 -0500 (EST)
I'm going to be installing firewalls on my internal servers (yes, I'm paranoid) and right now I'm testing in flag-only mode (don't drop any packets) on one server. So-far, so-good, except every day I get about 150 "spoofed" packets; packets claiming to be my IP coming INTO the NIC card. Strangely, the destination is always my network's broadcast address. Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and backup traffic (UDP 20031) ports. Here is the rule: /sbin/iptables -A bad_packets \ -i eth0 -s 172.19.2.200 \ --m limit --limit 3/minute \ --j LOG --log-level INFO \ --log-prefix "Spoofed packet type 1 (bad): " Here is the log: Logged 142 packets on interface eth0 From 172.19.2.200 - 142 packets To 172.19.255.255 - 142 packets Service: netbios-ns (udp/137) (Spoofed packet type 1 (bad):,eth0,none) - 19 packets Service: netbios-dgm (udp/138) (Spoofed packet type 1 (bad):,eth0,none) - 103 packets (20031 is the backup port) Service: 20031 (udp/20031) (Spoofed packet type 1 (bad):,eth0,none) - 20 packets Ideas? /dev/idal _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- Message not available
- RE: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Mikael Olsson (Nov 21)
- <Possible follow-ups>
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)