In the ideal case, RFC1918 private addresses are not routed over the Internet. Unfortunately, the world is far from an ideal place. There are a lot of clueless ISPs out there, and a lot more clueless domain administrators.
Most likely, someone that uses the same ISP as you is "leaking" private address traffic to the outside world. Since your GNAT Box recognizes the addresses (because you're using the same group of private addresses) it reports a possible spoof. The traffic doesn't stop when you shut down the machine with that IP address because it is not coming from that machine. It's just a coincidence that you have a machine with the same IP address that is "leaking" from someone else's network. This is much more likely to be the result of cluelessness than mischievousness. Mike Burden Lynk Systems http://www.lynk.com (616)532-4985 [EMAIL PROTECTED] > -----Original Message----- > From: Graham Jones [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 29, 2001 7:23 AM > To: Gb-Users@Gta. Com > Subject: Spoof ?? > > > --------------------- Attention ----------------------------- > A digest version of this list is now available. > Send email to [EMAIL PROTECTED], with the following message: > subscribe gb-users-digest your_email_address > Then unsubscribe from this list. > ------------------------------------------------------------- > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > Send postings to: [EMAIL PROTECTED] > Access the list archives at: http://www.gnatbox.com/gb-users/ > ------------------------------------------------------------- > We see lots of alarms like this: > > ALARM NO: 47 > DATE: Wed 2001-08-29 09:06:24 GMT > TIME: 09:06:24 > INTERFACE: EXTERNAL (fxp1) > INTERFACE TYPE: External > ALARM TYPE: Possible spoof > IP PACKET: TCP [192.168.100.100/1537]-->[217.9.192.38/80] l=0 f=0x2 > DETAILED DESCRIPTION: > Return interface for IP packet is different than arrival. > > The apparent return address 192.168.100.100/1537 is always > the same. The > return port number changes from time to time. I think the > alarm is telling > me that a packet has arrived on the external interface > (IP=217.9 etc) which > should be returned to 192.168.100.100 - is this correct? > > We know that 192.168.0.0/16 is reserved for private use and > is not routed > over the Internet. > > Specifically the address 192.168.100.100 is actually present on the > Protected network - but the GB1000 continues to report spoofs > when this > machine is shut down. > > The destination address for the packet 217.9.192.38/80 does > not actually > exist - but the network 217.9.192.0 mask 21 is the DMZ and > there are some > machines on it. From day to day the destination address > changes within the > network 217.9.192.0 mask 21. > > The alarms are set to report anything more than 60 spoofs in > 480 seconds - > and we see about 300 alarms per day. > > What is going on? Is this simpply an attempt at denial of > service? Or are > they trying to compromise the machines on the DMZ (or the > machine in the > protected network) in some other way? If so, how? > > Any ideas would be most welcome. > > Regards, > � > -- Graham Jones > Linnet Solutions Ltd. > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > 01953 717605 or > 077 74 894200 > � > > ---------------------------------------------- > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe gb-users your_email_address > in the body of the message >
