Firewall Wizards mailing list archives
Re: Wayyy too many spoofed packets
From: Paul Robertson <proberts () patriot net>
Date: Fri, 21 Nov 2003 15:22:43 -0500 (EST)
On Fri, 21 Nov 2003, Chris de Vidal wrote:
I'm going to be installing firewalls on my internal servers (yes, I'm paranoid) and right now I'm testing in flag-only mode (don't drop any packets) on one server. So-far, so-good, except every day I get about 150 "spoofed" packets; packets claiming to be my IP coming INTO the NIC card. Strangely, the destination is always my network's broadcast address. Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and backup traffic (UDP 20031) ports.
It's probably just weird broadcast handling, since once your workstation puts the packets out on the wire, and the destination is broadcast, it's obligated to accept them off the wire so that an application can handle them.
Ideas?
If the workstation sending them is the correct MAC address, try the same thing on an isolated segment, with a virtual network, or whatever and confirm the behaviour. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- Message not available
- RE: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Mikael Olsson (Nov 21)
- <Possible follow-ups>
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Daniel Linder (Nov 25)