"Spoofed" packets - causing our firewall to NOT RESPOND to legitimate traffic !!!
From: HisNameWasRobertPaulson (kalis_anon_at_hotmail.com)
Date: 04/29/04
- Next message: ThePsyko: "Re: HACKERS SECRET WEAPONS:"
- Previous message: Sachs: "Trouble programming network access filter gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Apr 2004 15:24:10 -0700
Hey gang, recently our PIX has been logging about 1,500 of these
messages per day for the past 2 days:
((2004-04-27 01:42:00 Local4.Critical 10.10.1.2 Apr 27 2004 01:41:36:
%PIX-2-106016: Deny IP spoof from (0.0.0.22) to 82.83.129.244 on
interface inside))
This only occures early in the morning, for about 15 minutes or so,
then stops.
The bad part, when these packets are hitting the PIX, the inside
interface will NOT even respond to a ping request!!! So it seems that
whatever these packets are, they are hitting the PIX pretty heavy -
enough for the PIX to be too busy to respond to any legiimate traffic,
including a ping!!
This is not good : (
Alas, I could not find anything relevant about this on the net or in
the groups. What I have determinded, is that this is a possible trojan
we have on our internal network. (thats all I can think of)
So, my question is: what can I do about this? I suppose my goal is to
obtain the MAC address of the offending station, but how do I do that
on the PIX?? Will these ip's show up in the arp table, or is there
some other way for the PIX to give me the MAC address of the offending
station?? (Or any other method of obtaining the MAC address for that
matter???)
Anyway, I am at a loss, any help would be GREATLY appreciated!
Thanks,
-Mike
- Next message: ThePsyko: "Re: HACKERS SECRET WEAPONS:"
- Previous message: Sachs: "Trouble programming network access filter gateway"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
