RE: Re: [fw-wiz] Wayyy too many spoofed packets

From: Frank Knobbe (frank_at_knobbe.us)
Date: 11/22/03

  • Next message: Luca Berra: "Re: [fw-wiz] PIX 500 as ROUTER ONLY"
    To: Chris de Vidal <chris@devidal.tv>
    Date: Fri, 21 Nov 2003 23:03:12 -0600
    
    
    

    On Fri, 2003-11-21 at 22:52, Chris de Vidal wrote:
    > So why do I see so many inbound packets from the network coming through
    > eth0 with my IP? The only explaination that makes sense is a router
    > somewhere rebroadcasting packets...

    Those are packets FROM your IP for the network. They're not spoofed,
    your box sends them to the network.

    +-------+ +----+
    |You Box|---|eth0|---> network
    +-------+ +----+

    172.19.2.200 -> 172.19.255.255

    netfilter logs that packet that is trying to leave your box. There is no
    spoofed packets.

    If you turn your box off, and use a different machine with tcpdump,
    sniff the traffic and STILL capture packets with the turned off IP
    address, then I believe you have spoofed packets floating around :)
    Until then, the way I see your description is that you are
    logging/blocking VALID packets FROM your box to the network.

    Regards,
    Frank

    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: Luca Berra: "Re: [fw-wiz] PIX 500 as ROUTER ONLY"

    Relevant Pages

    • Re: [opensuse] SuseFirewall IPv4 vs IPv6
      ... # network security threats. ... # Opening ports for LAN services in the external zone defeats the ... # this setting only works for packets destined for the local machine. ... # If the protocol is icmp then port is interpreted as icmp type ...
      (SuSE)
    • Re: Ethernet issue: works one way but not another
      ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
      (freebsd-questions)
    • Re: IDSIPS that can handle one Gig
      ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: Update: UDP 770 Potential Worm
      ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
      (Incidents)
    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
      (comp.os.linux.networking)