On 26 Jun 2002, Dirk Koopman wrote: > There seems to be a "tool" about, which is somehow able to > detect valid rfc1918 addresses behind a NATed firewall and is spoofing > from addresses using random (usually non-existant) addresses from the > class C on the internet side of that firewall. My organization saw some connection attempts to an rfc1918 space on our firewall in the past few days as well. Specifically ip's in the 192.168.1.0/24 space, and specifically on tcp port 137. The firewall marked the packets as being spoofed, and dropped them. As a side note, we have no internal addresses in the 192.168.1.0/24 space. I've not yet determined what has generated the traffic, but I think it's guessing more than detecting valid addresses. Robert ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 27 2002 - 12:11:42 PDT