Re: [fw-wiz] Wayyy too many spoofed packets

From: Chris de Vidal (
Date: 11/21/03

  • Next message: Dario Calia: "[fw-wiz] PIX 500 as ROUTER ONLY"
    Date: Fri, 21 Nov 2003 14:35:56 -0500 (EST)

    Sorry if I misunderstand you, but you're saying it's normal for packets
    coming IN from the network to have my IP? See, that's my concern, not

    Netmask and broadcast match what you said:
    eth0 Link encap:Ethernet HWaddr 00:50:DA:0C:04:6E
              inet addr: Bcast: Mask:

    Again, I'm only concerned about spoofed packets; packets coming from the
    outside in claiming to have my IP.

    So is this normal?


    Bill Royds said:
    > You have the default netmask set incorrectly (or not set at all) on host
    with IP SMB uses broadcast by default if it has not been
    given a WINS address to find hosts and net 172.19.x.x is a class B which
    by default has a netmask of and a broadcast address of
    > What you are seeing is perfectly normal for a Windows box with
    > windows network setup (broadcast for name resolution).
    >> From: "Chris de Vidal" <>
    >> Date: 2003/11/21 Fri AM 10:27:36 EST
    >> To:
    >> Subject: [fw-wiz] Wayyy too many spoofed packets
    >> I'm going to be installing firewalls on my internal servers (yes, I'm
    paranoid) and right now I'm testing in flag-only mode (don't drop any
    packets) on one server. So-far, so-good, except every day I get about
    >> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
    >> Strangely, the destination is always my network's broadcast address.
    Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138)
    >> backup traffic (UDP 20031) ports.
    >> Here is the rule:
    >> /sbin/iptables -A bad_packets \
    >> -i eth0 -s \
    >> --m limit --limit 3/minute \
    >> --j LOG --log-level INFO \
    >> --log-prefix "Spoofed packet type 1 (bad): "
    >> Here is the log:
    >> Logged 142 packets on interface eth0
    >> From - 142 packets
    >> To - 142 packets
    >> Service: netbios-ns (udp/137) (Spoofed packet type 1
    >> (bad):,eth0,none) - 19 packets
    >> Service: netbios-dgm (udp/138) (Spoofed packet type 1
    >> (bad):,eth0,none) - 103 packets
    >> (20031 is the backup port)
    >> Service: 20031 (udp/20031) (Spoofed packet type 1
    >> (bad):,eth0,none)
    >> - 20 packets
    >> Ideas?
    >> /dev/idal
    >> _______________________________________________
    >> firewall-wizards mailing list

    firewall-wizards mailing list

  • Next message: Dario Calia: "[fw-wiz] PIX 500 as ROUTER ONLY"