Re: Ip spoof from 0.0.0.0

From: Mike Lewinski (mikeat_private)
Date: Wed Nov 06 2002 - 10:05:46 PST

  • Next message: Paul Gillingwater: "Re: Ip spoof from 0.0.0.0"

    Frank Cheong wrote:
    
    > In-Reply-To:
    >
    > o yes, I also get these kind of attack these few days while some of them
    >
    > leaving a MAC Address 00.30.B6.D0.3C.EC so what can I do to stop these
    >
    > attack now ? As all I got is only a MAC address.
    
    
    Your pix already stopped it. That MAC address is whatever device your 
    pix is connected to on the outside interface (if not, then a source of 
    what everyone else here is seeing is on your DMZ!).
    
    You can only see local MAC addresses, due to the nature of how layer2 
    <-> layer3 conversions work.
    
    If you don't want the pix to drop the traffic, create an acl on your 
    upstream router and block at the edge, or ask your ISP to do the same per:
    
    http://www.cymru.com/Documents/secure-ios-template.html
    
    Mike
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 15:09:25 PST