Re: [fw-wiz] Wayyy too many spoofed packets
From: Chris de Vidal (chris_at_devidal.tv)
Date: 11/21/03
- Previous message: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Maybe in reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Next in thread: Frank Knobbe: "Re: [fw-wiz] Wayyy too many spoofed packets"
- Reply: Frank Knobbe: "Re: [fw-wiz] Wayyy too many spoofed packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Bill@royds.net Date: Fri, 21 Nov 2003 14:35:56 -0500 (EST)
Sorry if I misunderstand you, but you're saying it's normal for packets
coming IN from the network to have my IP? See, that's my concern, not
broadcasts.
Netmask and broadcast match what you said:
/sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:DA:0C:04:6E
inet addr:172.19.2.200 Bcast:172.19.255.255 Mask:255.255.0.0
Again, I'm only concerned about spoofed packets; packets coming from the
outside in claiming to have my IP.
So is this normal?
/dev/idal
Bill Royds said:
> You have the default netmask set incorrectly (or not set at all) on host
with IP 172.19.2.200. SMB uses broadcast by default if it has not been
given a WINS address to find hosts and net 172.19.x.x is a class B which
by default has a netmask of 255.255.0.0 and a broadcast address of
172.19.255.255.
>
> What you are seeing is perfectly normal for a Windows box with
default
> windows network setup (broadcast for name resolution).
>
>> From: "Chris de Vidal" <chris@devidal.tv>
>> Date: 2003/11/21 Fri AM 10:27:36 EST
>> To: firewall-wizards@honor.icsalabs.com
>> Subject: [fw-wiz] Wayyy too many spoofed packets
>> I'm going to be installing firewalls on my internal servers (yes, I'm
paranoid) and right now I'm testing in flag-only mode (don't drop any
packets) on one server. So-far, so-good, except every day I get about
150
>> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
>> Strangely, the destination is always my network's broadcast address.
Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138)
and
>> backup traffic (UDP 20031) ports.
>> Here is the rule:
>> /sbin/iptables -A bad_packets \
>> -i eth0 -s 172.19.2.200 \
>> --m limit --limit 3/minute \
>> --j LOG --log-level INFO \
>> --log-prefix "Spoofed packet type 1 (bad): "
>> Here is the log:
>> Logged 142 packets on interface eth0
>> From 172.19.2.200 - 142 packets
>> To 172.19.255.255 - 142 packets
>> Service: netbios-ns (udp/137) (Spoofed packet type 1
>> (bad):,eth0,none) - 19 packets
>> Service: netbios-dgm (udp/138) (Spoofed packet type 1
>> (bad):,eth0,none) - 103 packets
>> (20031 is the backup port)
>> Service: 20031 (udp/20031) (Spoofed packet type 1
>> (bad):,eth0,none)
>> - 20 packets
>> Ideas?
>> /dev/idal
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@honor.icsalabs.com
>> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Maybe in reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Next in thread: Frank Knobbe: "Re: [fw-wiz] Wayyy too many spoofed packets"
- Reply: Frank Knobbe: "Re: [fw-wiz] Wayyy too many spoofed packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
