Hello All, I've been following the thread here regarding the IP Spoofs from 0.0.0.0 with interest as I'm seeing something similar, but not the same in one of my client environments. I see packets from a specific internet host that the client has associations with (which presumably means they are allowing certain specific traffic from that host to pass via the firewall to other certain hosts within the environment) that are directed to subnet addresses, such as 10.0.0.0 or 10.1.0.0 or 10.1.2.0. Lots of different combinations. I also see other traffic that is either spoofed traffic or some sort of return traffic to these spoofed addresses as they are sourced with 10.0.0.0 or 10.1.0.0 or 10.1.2.0 or something like that. It is possible that the firewall or NAT device is improperly configured and is adding state for these spoofed addresses which might be destined for the internet and thus the return packets are making it back. It just seems odd that the only external addresses appears to be hosts that are "trusted" by the organization. Has anyone seen anything like this recently. This has been happening for at least a week. Thanks in advance for any help. --- Joel ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 16 2002 - 04:56:50 PST