[Dshield] Repeated spoofed address attempts

Stephane Grobety security at admin.fulgan.com
Wed May 8 15:27:21 GMT 2002


Hello David,

I suggest you have a look at this page:

http://www.robertgraham.com/pubs/firewall-seen.html

and, in particular:

http://www.robertgraham.com/pubs/firewall-seen.html#10

(But the rest of the page is a good reading too ;) )

Good luck,
Stephane

Wednesday, May 8, 2002, 4:35:55 PM, you wrote:

SD> Yesterday our network firewall (Watchguard Firebox II) intercepted several
SD> thousand attempts from spoofed addresses. Does anyone know why this would be
SD> happening or how I would attempt to locate the "mis"-user doing this. Now
SD> they did not get through on these attempts...or at least they all were
SD> denied. I have not been able to configure snort to work on our system
SD> correctly so I'll only post a few of the logs in the Watchguard format.
SD> These ran for 303 pages of logs (approx. 6000+ attempts). Oddly enough, this
SD> is not our ip address (the second one) and I know this is just a ping back
SD> from an email site or at least that is what I thought it was.
SD> Any input would be appreciated.


SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.252.168
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.177.208
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128 169.254.164.183
SD> 169.254.255.255 137 137 (spoofed source address)
SD> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127 169.254.164.183
SD> 169.254.255.255 137 137 (spoofed source address)


 
SD>  "Patience and perseverance have a magical effect before
SD>     which difficulties disappear and obstacles vanish."
SD>           - John Quincy Adams
SD> ________________________________________ 
SD> David E. Stigers 
SD> IT Manager 
SD> KY Association of Counties 
 
SD> ________________________________________ 

SD> _______________________________________________
SD> Dshield mailing list
SD> Dshield at dshield.org
SD> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list