We see lots of alarms like this: ALARM NO: 47 DATE: Wed 2001-08-29 09:06:24 GMT TIME: 09:06:24 INTERFACE: EXTERNAL (fxp1) INTERFACE TYPE: External ALARM TYPE: Possible spoof IP PACKET: TCP [192.168.100.100/1537]-->[217.9.192.38/80] l=0 f=0x2 DETAILED DESCRIPTION: Return interface for IP packet is different than arrival.
The apparent return address 192.168.100.100/1537 is always the same. The return port number changes from time to time. I think the alarm is telling me that a packet has arrived on the external interface (IP=217.9 etc) which should be returned to 192.168.100.100 - is this correct? We know that 192.168.0.0/16 is reserved for private use and is not routed over the Internet. Specifically the address 192.168.100.100 is actually present on the Protected network - but the GB1000 continues to report spoofs when this machine is shut down. The destination address for the packet 217.9.192.38/80 does not actually exist - but the network 217.9.192.0 mask 21 is the DMZ and there are some machines on it. From day to day the destination address changes within the network 217.9.192.0 mask 21. The alarms are set to report anything more than 60 spoofs in 480 seconds - and we see about 300 alarms per day. What is going on? Is this simpply an attempt at denial of service? Or are they trying to compromise the machines on the DMZ (or the machine in the protected network) in some other way? If so, how? Any ideas would be most welcome. Regards, � -- Graham Jones Linnet Solutions Ltd. [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 01953 717605 or 077 74 894200 �
