Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Ip spoof from 0.0.0.0

From: Mike Lewinski <mike () rockynet com>
Date: Wed, 06 Nov 2002 11:05:46 -0700
Frank Cheong wrote:


In-Reply-To:

o yes, I also get these kind of attack these few days while some of them

leaving a MAC Address 00.30.B6.D0.3C.EC so what can I do to stop these

attack now ? As all I got is only a MAC address.
Your pix already stopped it. That MAC address is whatever device your pix is connected to on the outside interface (if not, then a source of what everyone else here is seeing is on your DMZ!).
You can only see local MAC addresses, due to the nature of how layer2 <-> layer3 conversions work.
If you don't want the pix to drop the traffic, create an acl on your upstream router and block at the edge, or ask your ISP to do the same per: 

http://www.cymru.com/Documents/secure-ios-template.html

Mike



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: