Re: Wayyy too many spoofed packets

[Mikael Olsson <mikael.olsson () clavister com>]

Chris de Vidal wrote:
> I'm going to be installing firewalls on my internal servers (yes, I'm
> paranoid) and right now I'm testing in flag-only mode (don't drop any
> packets) on one server.  So-far, so-good, except every day I get about 150
> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
> Strangely, the destination is always my network's broadcast address.
> Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and
> backup traffic (UDP 20031) ports.

There's a bunch of busted routers and L3 switches that will sometimes
pick up broadcasts and re-send them.  (Yes, very bad. The fact that 
your network hasn't gone down the toilet yet is that it only happens
_some_ of the time, not for every single packet.)

Take a closer look at the source MAC address and you'll likely find 
the offending router/switch.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards