RE: strange network traffic

From: Chris Norris (chris.norris@cpnmedia.co.uk)
Date: 08/16/02


From: "Chris Norris" <chris.norris@cpnmedia.co.uk>
To: <security-basics@securityfocus.com>
Date: Fri, 16 Aug 2002 18:36:24 +0100

I sincerely recommend you do get a firewall. Just find a junk PC and put
linux on it if there is no budget for it, cost = nothing!

-----Original Message-----
From: C Boening [mailto:txfmfdoc@comcast.net]
Sent: 15 August 2002 22:41
To: security basics
Subject: strange network traffic

We are experiencing some network activity which has me baffled. I am
relatively new to network security so I hope I won't get flamed too bad
. Here's what's going on: About 2 months ago our sniffer (commview)
started capturing traffic from

192.168.0.2 as coming from our network. We have no such ip address. All
routers, switches, servers, annexes, printers , wireless,... have been
checked hands on. No such IP asigned to any of our devices. The packets
coming from this ip contain the nbstat command. They are sent to several
of our

servers only. Server responds with an answer to nbstat (the usual
stuff). 192 ip then sends traffic to several outside ip's, ie
doubleclick, uunet, and others. What could cause this traffic and where
could it possibly come from? Another sniffer, Capsa, shows 192 as
belonging to our intranet. We do not have a firewall (yes, I know, but
it's not up to me or my dept head), except for a couple which we run on
individual pc's . Purchasing a firewall at this time is not an option.
Can somebody help me out?



Relevant Pages

  • RE: Secure Network Design (DMZ, LAN, etc)
    ... you'll see that their both on the same subnet. ... It has a port for the trusted network and a port ... Our firewall handles NAT. ... > servers, wouldn't it require a public IP and therefore be somewhat ...
    (Security-Basics)
  • RE: [fw-wiz] Security Audit and Priorities
    ... Learn your network. ... - Linux Security Cookbook ... Building Secure Servers with Linux ... It's one thing to be a firewall admin and write ...
    (Firewall-Wizards)
  • Re: terminal services quirkyness question
    ... When you ssh into your Firewall you are Basically inside your Network ... will have to change the default port that TS listens too... ... Open the Ports in your Firewall and Point them to your servers, ...
    (microsoft.public.windows.server.sbs)
  • Re: [fw-wiz] Isolating internal servers behind firewalls
    ... We have a cisco firewall services module that we us for our head ... So, for a given network, you can move ... There are general purpose file servers, AD domain controllers, SMS ... The firewall/security group argues that servers and clients should exist ...
    (Firewall-Wizards)
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)