Re: Wayyy too many spoofed packets

[Paul Robertson <proberts () patriot net>]

On Fri, 21 Nov 2003, Chris de Vidal wrote:

> I'm going to be installing firewalls on my internal servers (yes, I'm
> paranoid) and right now I'm testing in flag-only mode (don't drop any
> packets) on one server.  So-far, so-good, except every day I get about 150
> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
> Strangely, the destination is always my network's broadcast address.
> Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and
> backup traffic (UDP 20031) ports.

It's probably just weird broadcast handling, since once your workstation
puts the packets out on the wire, and the destination is broadcast, it's
obligated to accept them off the wire so that an application can handle
them.

> Ideas?

If the workstation sending them is the correct MAC address, try the same
thing on an isolated segment, with a virtual network, or whatever and
confirm the behaviour.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards