Spoofed Address. - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Spoofed Address.

  1. #11
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by extremez
    That would hamper relations.

    I thought you said your firewall was blocking all attempts? Are they making it through to your DMZ??
    They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good

    We'll sniff the external interface on the firewall, that should show us something.

    Cheers:
    DjM

  2. #12
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.

    However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #13
    Junior Member
    Join Date
    Jan 2004
    Posts
    27
    Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..

    Do you have a syslog or anything running?
    If at first you don\'t succeed, f**k it try something else.

  4. #14
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by steve.milner
    If they are using spoofed IP Address then they can't be expecting to get a connection, since the return address will not be correct.

    However, are you seeing any other attempts from other 'more real' looking IPs at the same time, since if they are trying to probe & get some information back, one of thes addresses will be real.

    Steve
    Nothing that seems to have any pattern or structure Steve.

    Originally posted here by symtech
    Not sure if checkpoint has the ability to set it to not allow spoofed IP's. I know on all my cisco firewalls I have anti spoofing turned on. Pretty much if I can't do a reverse look up back to you, your not connecting..

    Do you have a syslog or anything running?
    Yes checkpoint can disallow spoofing, that's why this cowboy is being dropped.

    Cheers:
    DjM

  5. #15
    Member
    Join Date
    May 2002
    Posts
    68
    They are targeting boxes in the DMZ but aren't getting through, but I do now see your point, setting up a sniffer in the DMZ ain't going to do us much good
    Exactly, No prob
    [gloworange]
    find /home/$newbie -name *? | www.google.com 2>/dev/null
    [/gloworange]

  6. #16
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,049
    DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  7. #17
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by prodikal
    DjM: Are you allowing outside client's to connect t you're proxy on port 80 do you even have a proxy server running on port 80 ?that can be used to probe the internal LAN like a port scan like doing http://<ip>:25 im not wanting to get right in to it the now i have had a few beers but that could be causing the localhost queries to ports on the lan
    Short answer, no. We don't have a proxy.

    Thanks for your help, go have a few more beers and let me know if you come up with anything else. (some of my best work is done with a belly full of beer)

    Cheers:
    DjM

  8. #18
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #19
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tedob1
    sounds more like an attempted smurf attack rather than an intruder. you should deny incomming 127.0.0.1 at your router
    Yea, this is what I would like to do too Tedob1, however the router is owned and controlled by our current ISP, who, like I said, is a little pissed at us, I doubt they would put any priority on putting in that router rule for us.


    Cheers:
    DjM

  10. #20
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    the router that connect us to the internet is owned by UUnet but when they set it up they gave me the user name and password so i can make changes. call them ask them, what have you got to loose. if worse comes to worse get another router
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides