Firewall Wizards mailing list archives

RE: Re: Wayyy too many spoofed packets

From: "Bill Royds" <broyds () rogers com>
Date: Fri, 21 Nov 2003 19:31:22 -0500

As Frank said, you machine is sending broadcasts on both interfaces for
Samba. So you see the broadcasts as received as well. It is not coming from
the net but from your machine itself.

-----Original Message-----
From: Chris de Vidal [mailto:chris () devidal tv] 
Sent: November 21, 2003 3:37 PM
To: Bill () royds net
Cc: firewall-wizards () honor icsalabs com
Subject: Re: Re: [fw-wiz] Wayyy too many spoofed packets

I'm going to be installing firewalls on my internal servers (yes, I'm
paranoid).  These include Samba servers.

I shouldn't expect to see MY IP coming IN from the OUTSIDE.

I saw this kind of spoof protection in another firewall script and copied
it, so I'm sure the rule is correct and I've never seen traffic with MY IP
originating on eth0.

/dev/idal

Bill Royds said:

Are you running Samba on the Linux box which is your firewall? It may be
that you are seeing traffic from the firewall box itself which has the IP
address on its eth0 interface does it not?
Samba will try to enumerate other SMB hosts on its subnet if it is
running. Backup will also try to find other backup boxes.

From: "Chris de Vidal" <chris () devidal tv>
Date: 2003/11/21 Fri PM 02:35:56 EST
To: Bill () royds net
CC: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Wayyy too many spoofed packets

Sorry if I misunderstand you, but you're saying it's normal for packets
coming IN from the network to have my IP?  See, that's my concern, not
broadcasts.

Netmask and broadcast match what you said:
/sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:50:DA:0C:04:6E
          inet addr:172.19.2.200  Bcast:172.19.255.255  Mask:255.255.0.0

Again, I'm only concerned about spoofed packets; packets coming from the
outside in claiming to have my IP.

So is this normal?

/dev/idal

Bill Royds said:

You have the default netmask set incorrectly (or not set at all) on

host
with IP 172.19.2.200. SMB uses broadcast by default if it has not been
given a WINS address to find hosts and net 172.19.x.x is a class B which
by default has a netmask of 255.255.0.0 and a broadcast address of
172.19.255.255.


   What you are seeing is perfectly normal for a Windows box with

default

windows network setup (broadcast for name resolution).

From: "Chris de Vidal" <chris () devidal tv>
Date: 2003/11/21 Fri AM 10:27:36 EST
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Wayyy too many spoofed packets
I'm going to be installing firewalls on my internal servers (yes, I'm

paranoid) and right now I'm testing in flag-only mode (don't drop any
packets) on one server.  So-far, so-good, except every day I get about
150

"spoofed" packets; packets claiming to be my IP coming INTO the NIC

card.

Strangely, the destination is always my network's broadcast address.

Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138)
and

backup traffic (UDP 20031) ports.
Here is the rule:
/sbin/iptables -A bad_packets \
    -i eth0 -s 172.19.2.200 \
    --m limit --limit 3/minute \
    --j LOG --log-level INFO \
    --log-prefix "Spoofed packet type 1 (bad): "
Here is the log:
Logged 142 packets on interface eth0
  From 172.19.2.200 - 142 packets
    To 172.19.255.255 - 142 packets
      Service: netbios-ns (udp/137) (Spoofed packet type 1
(bad):,eth0,none) - 19 packets
      Service: netbios-dgm (udp/138) (Spoofed packet type 1
(bad):,eth0,none) - 103 packets
      (20031 is the backup port)
      Service: 20031 (udp/20031) (Spoofed packet type 1
(bad):,eth0,none)
- 20 packets
Ideas?
/dev/idal
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
  - Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- Message not available
  - RE: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Mikael Olsson (Nov 21)
- <Possible follow-ups>
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
  - Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
  - RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
    - RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
    - RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
  - RE: Re: Wayyy too many spoofed packets Daniel Linder (Nov 25)
    - RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 25)