RE: possible causes of source and destination ip from external network

From: Tom Arseneault (TArseneault_at_counterpane.com)
Date: 06/22/04

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: ssh and ids" 
    Date: Mon, 21 Jun 2004 18:17:55 -0700
To: "Annie Green" <annie_r_green@hotmail.com>, <focus-ids@securityfocus.com>

    One possibility is a host on your network has been compromised and it
    being used by an attacker to send out spoofed packets. You'd need to
    check the MAC addresses on the packets and see if you can track down
    where their coming from then quarantine that machine.

    Thomas J. Arseneault
    Security Engineer
    Counterpane Internet Security
    tarseneault@counterpane.com

    > -----Original Message-----
    > From: Annie Green [mailto:annie_r_green@hotmail.com]
    > Sent: Saturday, June 19, 2004 7:09 AM
    > To: focus-ids@securityfocus.com
    > Subject: possible causes of source and destination ip from
    > external network
    >
    > Hi all
    >
    > What would be the possible causes of the IDS alert that shows
    > source ip and destination ip from external network? Also, why
    > did the router route this packet in the first place?
    >
    > Regards,
    > A.
    >
    > _________________________________________________________________
    > Get MSN Hotmail alerts on your mobile.
    > http://en-asiasms.mobile.msn.com/ac.aspx?cid=1002
    >
    >
    > --------------------------------------------------------------
    > -------------
    >
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

  • Next message: Runion Mark A FGA DOIM WEBMASTER(ctr): "RE: ssh and ids"

    Relevant Pages

    • Re: Ethernet issue: works one way but not another
      ... packets transmitted, 5 packets received, 0% packet loss ... (This is when connected directly to internet through ... FBSD, I have been working with BSDI at the isp I work for for the last ... As for my network topology, I have an internal network that goes ...
      (freebsd-questions)
    • Re: Update: UDP 770 Potential Worm
      ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ...
      (Incidents)
    • Re: IDSIPS that can handle one Gig
      ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
      (comp.os.linux.networking)
    • RE: Mapping Class A network ( any easy trick?)
      ... and wondering how I can map the network ... packets per second rate to ask for. ... This will read the payloads.conf file which may have multiple payloads ... per port. ...
      (Pen-Test)