[Dshield] Repeated spoofed address attempts

Micheal Patterson micheal at cancercare.net
Wed May 8 15:34:14 GMT 2002


I'm not familiar with the way watchguard considers it's inbound / outbound
interfaces but to take it from face value, you have internal systems that
don't have a routable ip attempting to send traffic outbound and it's
getting blocked. Or, if they are indeed spoofed packets, the firewall is
only blocking the replies on the way out and not stopping them on the
inbound route.

IANA (NETBLK-LINKLOCAL)
   Internet Assigned Numbers Authority
   4676 Admiralty Way, Suite 330
   Marina del Rey, CA 90292-6695
   US

   Netname: LINKLOCAL
   Netblock: 169.254.0.0 - 169.254.255.255


--

Micheal Patterson
Network Administration
Cancer Care Network
405-733-2230

----- Original Message -----
From: "Stigers, David" <dstigers at kaco.org>
To: <list at dshield.org>
Sent: Wednesday, May 08, 2002 9:35 AM
Subject: [Dshield] Repeated spoofed address attempts


> Yesterday our network firewall (Watchguard Firebox II) intercepted several
> thousand attempts from spoofed addresses. Does anyone know why this would
be
> happening or how I would attempt to locate the "mis"-user doing this. Now
> they did not get through on these attempts...or at least they all were
> denied. I have not been able to configure snort to work on our system
> correctly so I'll only post a few of the logs in the Watchguard format.
> These ran for 303 pages of logs (approx. 6000+ attempts). Oddly enough,
this
> is not our ip address (the second one) and I know this is just a ping back
> from an email site or at least that is what I thought it was.
> Any input would be appreciated.
>
>
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128
169.254.252.168
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127
169.254.252.168
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128
169.254.177.208
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127
169.254.177.208
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128
169.254.252.168
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127
169.254.252.168
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128
169.254.177.208
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127
169.254.177.208
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 128
169.254.164.183
> 169.254.255.255 137 137 (spoofed source address)
> 05/07/02 14:02  firewalld[105]:  deny out eth1 78 udp 20 127
169.254.164.183
> 169.254.255.255 137 137 (spoofed source address)
>
>
>
>  "Patience and perseverance have a magical effect before
>     which difficulties disappear and obstacles vanish."
>           - John Quincy Adams
> ________________________________________
> David E. Stigers
> IT Manager
> KY Association of Counties
>
> ________________________________________
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list