Re: possible causes of source and destination ip from external network

From: Mike Frantzen (frantzen_at_w4g.org)
Date: 06/22/04

  • Next message: Murtland, Jerry: "RE: ssh and ids" 
    Date: Tue, 22 Jun 2004 09:38:27 -0400
To: Annie Green <annie_r_green@hotmail.com>

    > What would be the possible causes of the IDS alert that shows source ip and
    > destination ip from external network? Also, why did the router route this
    > packet in the first place?
     
    #1 Forged source IP addresses. Probably someone internal infected with
    a UDP based worm or a DoS.

    #2 Your DHCP server was on the fritz. DHCP clients will return to their
    last known config if they can't find any DHCP servers on the network.
    Typically someone brought their laptop from home or just got back from a
    business trip. The packet shouldn't be routed past the local network in
    this case. Do a reverse lookup or an ARIN whois on the source IP; is it
    a DSL/cable provider or a hotel chain?

    #3 Someone put their laptop in hibernation on one network and awoke the
    laptop on yours.

    #4 Older Windows. I've seen older Windows machines (again, laptops)
    mysteriously and spuriously start sending traffic with one of its past
    IP addresses (after repeated reboots). It's been awhile but IIRC it was
    sent to the MAC address of the right gateway.

    At the least you should make sure you have some type of egress filtering
    on your external firewall or router.

    .mike
    frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
    PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Murtland, Jerry: "RE: ssh and ids"

    Relevant Pages

    • Re: OT. Wireless network problem
      ... Broadband router. ... Laptop can connect to home network with cable. ... Plugging in card produces "No network detected". ...
      (uk.religion.christian)
    • Re: need help setting up network
      ... successfully via ethernet to a Linksis Wireless G router w/4 port switch. ... I've run the Network Wizzard on ... were finally working when an icon for my desktop showed up on my laptop. ... Contact administrator of this server to find out if you have ...
      (microsoft.public.windowsxp.network_web)
    • Re: need help setting up network
      ... successfully via ethernet to a Linksis Wireless G router w/4 port switch. ... I've run the Network Wizzard on ... allow access by other computers on the local area network. ... were finally working when an icon for my desktop showed up on my laptop. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Networking problem
      ... machine 2# HP Z8000 laptop xp media center on board lan and 802.11 windows firewall off. ... router linksys befw11s4 ... Network activity lights flash on the router on the port in use. ... I finally got it to the point that from the desktop i can ping the ip ...
      (microsoft.public.windowsxp.general)
    • Re: Renaming a wireless connection
      ... I got the laptop SSID name changed but continuing with the ... The message that a network ... the security entries in the router setup. ... came to enter the Network key so I must have typed incorrectly the ...
      (microsoft.public.windowsxp.network_web)