Firewall Wizards mailing list archives
Re: Wayyy too many spoofed packets
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sat, 22 Nov 2003 01:32:19 +0100
Chris de Vidal wrote:
I'm going to be installing firewalls on my internal servers (yes, I'm paranoid) and right now I'm testing in flag-only mode (don't drop any packets) on one server. So-far, so-good, except every day I get about 150 "spoofed" packets; packets claiming to be my IP coming INTO the NIC card. Strangely, the destination is always my network's broadcast address. Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and backup traffic (UDP 20031) ports.
There's a bunch of busted routers and L3 switches that will sometimes pick up broadcasts and re-send them. (Yes, very bad. The fact that your network hasn't gone down the toilet yet is that it only happens _some_ of the time, not for every single packet.) Take a closer look at the source MAC address and you'll likely find the offending router/switch. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- Message not available
- RE: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Paul Robertson (Nov 21)
- Re: Wayyy too many spoofed packets Mikael Olsson (Nov 21)
- <Possible follow-ups>
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
- Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
- RE: Re: Wayyy too many spoofed packets Daniel Linder (Nov 25)
- RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 25)