Re: [fw-wiz] Wayyy too many spoofed packets
From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 11/22/03
- Previous message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"
- In reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Chris de Vidal <chris@devidal.tv> Date: Sat, 22 Nov 2003 01:32:19 +0100
Chris de Vidal wrote:
>
> I'm going to be installing firewalls on my internal servers (yes, I'm
> paranoid) and right now I'm testing in flag-only mode (don't drop any
> packets) on one server. So-far, so-good, except every day I get about 150
> "spoofed" packets; packets claiming to be my IP coming INTO the NIC card.
> Strangely, the destination is always my network's broadcast address.
> Perhaps even more strangely is I'm seeing it only on SMB (UDP 137:138) and
> backup traffic (UDP 20031) ports.
There's a bunch of busted routers and L3 switches that will sometimes
pick up broadcasts and re-send them. (Yes, very bad. The fact that
your network hasn't gone down the toilet yet is that it only happens
_some_ of the time, not for every single packet.)
Take a closer look at the source MAC address and you'll likely find
the offending router/switch.
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bill Royds: "RE: Re: [fw-wiz] Wayyy too many spoofed packets"
- In reply to: Chris de Vidal: "[fw-wiz] Wayyy too many spoofed packets"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
