Re: possible causes of source and destination ip from external network

• Previous message: Wozny, Scott (US - New York): "RE: ssh and ids"
• In reply to: Annie Green: "possible causes of source and destination ip from external network"
• Next in thread: Jose Nazario: "Re: possible causes of source and destination ip from external network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Jun 2004 06:57:57 -0700 (PDT)
To: Annie Green <annie_r_green@hotmail.com>, focus-ids@securityfocus.com

The better question to ask is why is this packet on my
network? As the question you asked is to ambiguous to
answer with the information provided. There could be
many reasons for triggering the alert.

I would initially think that it is a packet with a
spoofed source that originated from the inside of your
network but it could also be misconfiguration or
routing errors by your service provider.

Routers / firewalls should be configured to drop
anything not sourced from your internal network. That
helps protect others networks from spoofed packets
leaving your network. Don't want to be the source of
an attack now do we? ;-)

-Adam

> What would be the possible causes of the IDS alert
> that shows source ip and
> destination ip from external network? Also, why did
> the router route this
> packet in the first place?

        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

---------------------------------------------------------------------------

---------------------------------------------------------------------------

• Previous message: Wozny, Scott (US - New York): "RE: ssh and ids"
• In reply to: Annie Green: "possible causes of source and destination ip from external network"
• Next in thread: Jose Nazario: "Re: possible causes of source and destination ip from external network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]