I actually saw an identical symptom after a PacBell tech disconnected my cables and then connected them to the opposite network cards.
You may want to make sure some bonehead has not been playing with your cabling. Also, I tried to duplicate the symptom here and found that certain filter schemes (with pass through) can mimic this. Just a thought. Perhaps not a very good one. Danny -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Green Sent: Wednesday, August 29, 2001 12:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Spoof ?? --------------------- Attention ----------------------------- A digest version of this list is now available. Send email to [EMAIL PROTECTED], with the following message: subscribe gb-users-digest your_email_address Then unsubscribe from this list. ------------------------------------------------------------- GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi Send postings to: [EMAIL PROTECTED] Access the list archives at: http://www.gnatbox.com/gb-users/ ------------------------------------------------------------- Very likely cause. You can reconfigure your router to drop those addresses. This will prevent them from reaching your firewall. Chris Green >From: Mike Burden <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED], "Gb-Users@Gta. Com" <[EMAIL PROTECTED]> >Subject: RE: Spoof ?? >Date: Wed, 29 Aug 2001 08:59:24 -0400 > >--------------------- Attention ----------------------------- >A digest version of this list is now available. >Send email to [EMAIL PROTECTED], with the following message: >subscribe gb-users-digest your_email_address >Then unsubscribe from this list. >------------------------------------------------------------- >GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi >Send postings to: [EMAIL PROTECTED] >Access the list archives at: http://www.gnatbox.com/gb-users/ >------------------------------------------------------------- >In the ideal case, RFC1918 private addresses are not routed >over the Internet. Unfortunately, the world is far from an >ideal place. There are a lot of clueless ISPs out there, >and a lot more clueless domain administrators. > >Most likely, someone that uses the same ISP as you is "leaking" >private address traffic to the outside world. Since your GNAT >Box recognizes the addresses (because you're using the same >group of private addresses) it reports a possible spoof. > >The traffic doesn't stop when you shut down the machine with >that IP address because it is not coming from that machine. >It's just a coincidence that you have a machine with the same >IP address that is "leaking" from someone else's network. > >This is much more likely to be the result of cluelessness than >mischievousness. > >Mike Burden >Lynk Systems >http://www.lynk.com >(616)532-4985 >[EMAIL PROTECTED] > > > > > -----Original Message----- > > From: Graham Jones [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, August 29, 2001 7:23 AM > > To: Gb-Users@Gta. Com > > Subject: Spoof ?? > > > > > > --------------------- Attention ----------------------------- > > A digest version of this list is now available. > > Send email to [EMAIL PROTECTED], with the following message: > > subscribe gb-users-digest your_email_address > > Then unsubscribe from this list. > > ------------------------------------------------------------- > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > > Send postings to: [EMAIL PROTECTED] > > Access the list archives at: http://www.gnatbox.com/gb-users/ > > ------------------------------------------------------------- > > We see lots of alarms like this: > > > > ALARM NO: 47 > > DATE: Wed 2001-08-29 09:06:24 GMT > > TIME: 09:06:24 > > INTERFACE: EXTERNAL (fxp1) > > INTERFACE TYPE: External > > ALARM TYPE: Possible spoof > > IP PACKET: TCP [192.168.100.100/1537]-->[217.9.192.38/80] l=0 f=0x2 > > DETAILED DESCRIPTION: > > Return interface for IP packet is different than arrival. > > > > The apparent return address 192.168.100.100/1537 is always > > the same. The > > return port number changes from time to time. I think the > > alarm is telling > > me that a packet has arrived on the external interface > > (IP=217.9 etc) which > > should be returned to 192.168.100.100 - is this correct? > > > > We know that 192.168.0.0/16 is reserved for private use and > > is not routed > > over the Internet. > > > > Specifically the address 192.168.100.100 is actually present on the > > Protected network - but the GB1000 continues to report spoofs > > when this > > machine is shut down. > > > > The destination address for the packet 217.9.192.38/80 does > > not actually > > exist - but the network 217.9.192.0 mask 21 is the DMZ and > > there are some > > machines on it. From day to day the destination address > > changes within the > > network 217.9.192.0 mask 21. > > > > The alarms are set to report anything more than 60 spoofs in > > 480 seconds - > > and we see about 300 alarms per day. > > > > What is going on? Is this simpply an attempt at denial of > > service? Or are > > they trying to compromise the machines on the DMZ (or the > > machine in the > > protected network) in some other way? If so, how? > > > > Any ideas would be most welcome. > > > > Regards, > > � > > -- Graham Jones > > Linnet Solutions Ltd. > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > 01953 717605 or > > 077 74 894200 > > � > > > > ---------------------------------------------- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe gb-users your_email_address > > in the body of the message > > >---------------------------------------------- >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe gb-users your_email_address >in the body of the message _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe gb-users your_email_address in the body of the message
