Re: [fw-wiz] Wayyy too many spoofed packets

From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/21/03

  • Next message: Dario Calia: "[fw-wiz] PIX 500 as ROUTER ONLY"
    To: Bill@royds.net
    Date: Fri, 21 Nov 2003 14:35:56 -0500 (EST)
    
    

    Sorry if I misunderstand you, but you're saying it's normal for packets
    coming IN from the network to have my IP? See, that's my concern, not
    broadcasts.

    Netmask and broadcast match what you said:
    /sbin/ifconfig
    eth0 Link encap:Ethernet HWaddr 00:50:DA:0C:04:6E
              inet addr:172.19.2.200 Bcast:172.19.255.255 Mask:255.255.0.0

    Again, I'm only concerned about spoofed packets; packets coming from the
    outside in claiming to have my IP.

    So is this normal?

    /dev/idal

    Bill Royds said:
    > You have the default netmask set incorrectly (or not set at all) on host
    with IP 172.19.2.200. SMB uses broadcast by default if it has not been
    given a WINS address to find hosts and net 172.19.x.x is a class B which
    by default has a netmask of 255.255.0.0 and a broadcast address of
    172.19.255.255.
    >
    > What you are seeing is perfectly normal for a Windows box with
    default
    > windows network setup (broadcast for name resolution).
    >
    >> From: "Chris de Vidal" <chris@devidal.tv>
    >> Date: 2003/11/21 Fri AM 10:27:36 EST
    >> To: firewall-wizards@honor.icsalabs.com
    >> Subject: [fw-wiz] Wayyy too many spoofed packets
    >> I'm going to be installing firewalls on my internal servers (yes, I'm
    paranoid) and right now I'm testing in flag-only mode (don't drop any
    packets) on one server. So-far, so-good, except every day I get about
    150
    >> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
    >> Strangely, the destination is always my network's broadcast address.
    Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138)
    and
    >> backup traffic (UDP 20031) ports.
    >> Here is the rule:
    >> /sbin/iptables -A bad_packets \
    >> -i eth0 -s 172.19.2.200 \
    >> --m limit --limit 3/minute \
    >> --j LOG --log-level INFO \
    >> --log-prefix "Spoofed packet type 1 (bad): "
    >> Here is the log:
    >> Logged 142 packets on interface eth0
    >> From 172.19.2.200 - 142 packets
    >> To 172.19.255.255 - 142 packets
    >> Service: netbios-ns (udp/137) (Spoofed packet type 1
    >> (bad):,eth0,none) - 19 packets
    >> Service: netbios-dgm (udp/138) (Spoofed packet type 1
    >> (bad):,eth0,none) - 103 packets
    >> (20031 is the backup port)
    >> Service: 20031 (udp/20031) (Spoofed packet type 1
    >> (bad):,eth0,none)
    >> - 20 packets
    >> Ideas?
    >> /dev/idal
    >> _______________________________________________
    >> firewall-wizards mailing list
    >> firewall-wizards@honor.icsalabs.com
    >> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Dario Calia: "[fw-wiz] PIX 500 as ROUTER ONLY"

    Relevant Pages

    • Re: multi-homed systems stop answering ARP on local addresses w/ifconfig aliases
      ... the system will stop answering ARP on some of its own addresses and hence anything on that network completely stops functioning. ... inet 10.11.185.146 netmask 0xfffffff8 broadcast 10.11.185.151 ...
      (freebsd-net)
    • Re: New to Debian (Im a Gentoo user) - static IP vs DHCP
      ... iface eth0 inet static ... calculated from address and netmask;) ...
      (Debian-User)
    • Re: Help Broadcasting a UDP packet on the LAN:URGENT
      ... >> evident which network interfacethey should be using to do this. ... > than broadcast, as will be required anyway with IPv6. ... Bruce's design allows you to specify which interfaces participate in the ... you send packets and process ...
      (freebsd-net)
    • Re: Help Broadcasting a UDP packet on the LAN:URGENT
      ... We use all-ones packets well ... > network interfacethey should be using to do this. ... > interfaces because you have a per-network broadcast address if you want ... That way you get "for free" to control which interfaces should send ...
      (freebsd-net)
    • Routing issues?
      ... One of my FreeBSD 7.0 machines stops responding on the network, the strange thing is you could set your watch by it. ... inet 192.168.0.12 netmask 0xffffff00 broadcast 192.168.0.255 ...
      (freebsd-questions)