Spoofed RFC1918 Network Source Addresses...
From: Security Consultant (listrecipient@hanis.net)Date: 11/15/02
- Previous message: Moshe Aelion: "Help - a possible bot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Nov 2002 16:03:20 -0500 From: Security Consultant <listrecipient@hanis.net> To: incidents@securityfocus.com
Hello All,
I've been following the thread here regarding the IP Spoofs from
0.0.0.0 with interest as I'm seeing something similar, but not the
same in one of my client environments. I see packets from a specific
internet host that the client has associations with (which presumably
means they are allowing certain specific traffic from that host to
pass via the firewall to other certain hosts within the environment)
that are directed to subnet addresses, such as 10.0.0.0 or 10.1.0.0 or
10.1.2.0. Lots of different combinations. I also see other traffic
that is either spoofed traffic or some sort of return traffic to these
spoofed addresses as they are sourced with 10.0.0.0 or 10.1.0.0 or
10.1.2.0 or something like that. It is possible that the firewall or
NAT device is improperly configured and is adding state for these
spoofed addresses which might be destined for the internet and thus
the return packets are making it back. It just seems odd that the
only external addresses appears to be hosts that are "trusted" by the
organization. Has anyone seen anything like this recently. This has
been happening for at least a week. Thanks in advance for any help.
--- Joel
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Christian Schwede: "Strange Apache logs - maybe DDOS?"
- Previous message: Moshe Aelion: "Help - a possible bot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
