[fw-wiz] Wayyy too many spoofed packets

From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/21/03

  • Next message: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets" 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 21 Nov 2003 10:27:36 -0500 (EST)

    I'm going to be installing firewalls on my internal servers (yes, I'm
    paranoid) and right now I'm testing in flag-only mode (don't drop any
    packets) on one server. So-far, so-good, except every day I get about 150
    "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
    Strangely, the destination is always my network's broadcast address.
    Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and
    backup traffic (UDP 20031) ports.

    Here is the rule:
    /sbin/iptables -A bad_packets \
        -i eth0 -s 172.19.2.200 \
        --m limit --limit 3/minute \
        --j LOG --log-level INFO \
        --log-prefix "Spoofed packet type 1 (bad): "

    Here is the log:
    Logged 142 packets on interface eth0
      From 172.19.2.200 - 142 packets
        To 172.19.255.255 - 142 packets
          Service: netbios-ns (udp/137) (Spoofed packet type 1
    (bad):,eth0,none) - 19 packets
          Service: netbios-dgm (udp/138) (Spoofed packet type 1
    (bad):,eth0,none) - 103 packets
          (20031 is the backup port)
          Service: 20031 (udp/20031) (Spoofed packet type 1 (bad):,eth0,none)
    - 20 packets

    Ideas?
    /dev/idal
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets"

    Relevant Pages

    • Re: UPD better than TCP in streaming video/audio ?
      ... > UDP gains speed over TCP because it carries no information that would ... it doesn't even know that packets were lost. ... which is perfect for UDP. ... > Finally, there's the possibility of multicast data - for instance, a live ...
      (microsoft.public.win32.programmer.networks)
    • Re: Linux equivalent for ioctlsocket(FIONREAD) on datagram sockets
      ... Imagine that fast CPU sends a burst of UDP ... spirit of UDP standard should do in that particular case? ... blocking a clling thread until the NIC hardware ... reads one or more packets from socket's send buffer freeing up space ...
      (comp.os.linux.development.apps)
    • Re: NTP and Firewall help needed.
      ... >>port 123 for udp and tcp. ... The action here is applied for packets that fall off ... > - ACCEPT any and all traffic coming from the localhost interface ...
      (comp.os.linux.setup)
    • Re: Possible bug in .Net 2.0 udp sockets?
      ... You won't miss any UDP packets with a buffer that large! ... R> I called BeginReceiveFrom() several times on purpose, ... If you don't do that, indeed, UDP stack can drop packets. ... it stores it in the queue. ...
      (microsoft.public.dotnet.framework)
    • Re: UDP vs TCP
      ... I understand that UDP doesn't guarantee proper delivery of the message, that's why we have to add the CRC to the message to check if the message received is correct. ... TCP for instance will break up a large packet into smaller ... > into the packets and then the receiving app would have to read ...
      (microsoft.public.vb.enterprise)