Security Incidents mailing list archives

Re: Ip spoof from 0.0.0.0

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 7 Nov 2002 17:03:57 -0800

  I too caught a whiff of this.

  But what's somewhat more worrying is that in the 
last week I've also seen probes of port 445 from 3
other addresses:

1.  1 packet with an IP source address that appears
to put it in China.

2.  half a dozen with the (spoofed) origin address of
a Cisco router on the edge of my network.

3.  several dozen with the (spoofed) origin address of
an Alcatel router at the core of my network.  Packets
with this origin address would have been blocked by
anti-spoofing rules at my border if they were coming 
from outside my network.

  Conclusion, then, is that I have a source for this 
traffic somewhere inside my network.

  Any hints what this traffic is really trying to do 
or what causes it?

David Gillett



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Ip spoof from 0.0.0.0, (continued)
- - RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
    - RE: Ip spoof from 0.0.0.0 Russell Fulton (Nov 07)
- RE: Ip spoof from 0.0.0.0 Omar Herrera (Nov 07)
- Re: Ip spoof from 0.0.0.0 Mike Maxwell (Nov 09)
- Re: Ip spoof from 0.0.0.0 Frank Cheong (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Mike Lewinski (Nov 06)
  - Re: Ip spoof from 0.0.0.0 Paul Gillingwater (Nov 06)
    - Re: Ip spoof from 0.0.0.0 Nexus (Nov 07)
    - Re: Ip spoof from 0.0.0.0 batz (Nov 07)
    - Re: Ip spoof from 0.0.0.0 Jason Robertson (Nov 08)
- Re: Ip spoof from 0.0.0.0 David Gillett (Nov 08)
- Re: Ip spoof from 0.0.0.0 Hernan Otero (Nov 08)
- RE: Ip spoof from 0.0.0.0 Onsite West Houston (Nov 11)
- RE: Ip spoof from 0.0.0.0 Ingersoll, Jared (Nov 11)
- RE: Ip spoof from 0.0.0.0 Steenbergen, Dennis, Contractor (Nov 12)