Re: [fw-wiz] Wayyy too many spoofed packets

• Previous message: ebanks_at_dhhs.state.nh.us: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #1145 - 1 msg"
• In reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
• Next in thread: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets"
• Reply: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Chris de Vidal <chris@devidal.tv>
Date: Fri, 21 Nov 2003 15:22:43 -0500 (EST)

On Fri, 21 Nov 2003, Chris de Vidal wrote:

> I'm going to be installing firewalls on my internal servers (yes, I'm
> paranoid) and right now I'm testing in flag-only mode (don't drop any
> packets) on one server. So-far, so-good, except every day I get about 150
> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
> Strangely, the destination is always my network's broadcast address.
> Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and
> backup traffic (UDP 20031) ports.

It's probably just weird broadcast handling, since once your workstation
puts the packets out on the wire, and the destination is broadcast, it's
obligated to accept them off the wire so that an application can handle
them.

> Ideas?

If the workstation sending them is the correct MAC address, try the same
thing on an isolated segment, with a virtual network, or whatever and
confirm the behaviour.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: ebanks_at_dhhs.state.nh.us: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #1145 - 1 msg"
• In reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
• Next in thread: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets"
• Reply: Chris de Vidal: "Re: [fw-wiz] Wayyy too many spoofed packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Problem related with Subnetting ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ... (comp.os.linux.networking) Re: Problem related with Subnetting ... Can a host in 10.0.0.X talk with a host in ... router or gateway machine. ... The way that machines locate each other is that they send out broadcast ... ARP packets asking for information on the destination IP. ... (comp.unix.programmer) Re: Different behavior of pinging INADDR_BROADCAST? ... when the link-level destination MAC is set to 0xffffffffffff, ... I've found that in order to ping undirected broadcast address ... broadcast and was sent with the destination MAC of the gateway. ... (freebsd-net) Re: Chicken or the egg? ... > Would you dig out such gems of wisdom all by ... with reum and asteroid dust He stares fixedly at the Destination. ... Most of the weight is of course accounted for by Berilia, Tubul, Great ... Paul JK ... (sci.lang) RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only ... as a destination will be broadcast throughout the segment, ... VLAN could support....) ... Then do a broadcast ping from the router - ping ... (Incidents)