Spoofed Address.

[DjM]

Originally posted here by extremez
That would hamper relations.

I thought you said your firewall was blocking all attempts? Are they making it through to your DMZ??

They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good

We'll sniff the external interface on the firewall, that should show us something.

Cheers:

[steve.milner]

If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.

However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.

Steve

[symtech]

Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..

Do you have a syslog or anything running?

[DjM]

Originally posted here by steve.milner
If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.

However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.

Steve

Nothing that seems to have any pattern or structure Steve.

Originally posted here by symtech
Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..

Do you have a syslog or anything running?

Yes checkpoint can disallow spoofing, that's why this cowboy is being dropped.

Cheers:

[extremez]

They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good

Exactly, No prob

[prodikal]

DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan

[DjM]

Originally posted here by prodikal
DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan

Short answer, no. We don't have a proxy.

Thanks for your help, go have a few more beers and let me know if you come up with anything else. (some of my best work is done with a belly full of beer)

Cheers:

[Tedob1]

sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router

[DjM]

Originally posted here by Tedob1
sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router

Yea, this is what I would like to do too Tedob1, however the router is owned and controlled by our current ISP, who, like I said, is a little pissed at us, I doubt they would put any priority on putting in that router rule for us.


Cheers:

[Tedob1]

the router that connect us to the internet is owned by UUnet but when they set it up they gave me the user name and password so i can make changes. call them ask them, what have you got to loose. if worse comes to worse get another router