Security Incidents mailing list archives

Re: spoofed packets to RFC 1918 addresses

From: "Robert E. Lee" <rel () leefam org>
Date: Wed, 26 Jun 2002 16:54:37 -0700 (PDT)

On 26 Jun 2002, Dirk Koopman wrote:

There seems to be a "tool" about, which is somehow able to
detect valid rfc1918 addresses behind a NATed firewall and is spoofing
from addresses using random (usually non-existant) addresses from the
class C on the internet side of that firewall.


My organization saw some connection attempts to an rfc1918 space on our
firewall in the past few days as well.  Specifically ip's in the
192.168.1.0/24 space, and specifically on tcp port 137.  The firewall
marked the packets as being spoofed, and dropped them.

As a side note, we have no internal addresses in the 192.168.1.0/24 space.
I've not yet determined what has generated the traffic, but I think it's
guessing more than detecting valid addresses.

Robert


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

spoofed packets to RFC 1918 addresses Dirk Koopman (Jun 26)
- Re: spoofed packets to RFC 1918 addresses measl (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Kent Hundley (Jun 27)
  - Re: spoofed packets to RFC 1918 addresses Barry Irwin (Jun 28)
- Re: spoofed packets to RFC 1918 addresses Daniel Polombo (Jun 27)
- Re: spoofed packets to RFC 1918 addresses jon schatz (Jun 27)
- Re: spoofed packets to RFC 1918 addresses Robert E. Lee (Jun 27)
- <Possible follow-ups>
- RE: spoofed packets to RFC 1918 addresses Shane Carroll (Jun 27)
- Fw: spoofed packets to RFC 1918 addresses HggdH (Jun 27)
- RE: spoofed packets to RFC 1918 addresses Sterling, Chuck (Jun 28)
- RE: spoofed packets to RFC 1918 addresses Keith T. Morgan (Jun 28)