We also thought it might be the code red worm - and checked very thoroughly to be sure that it wasn't present on any of the machines on the PRO or DMZ.
As suggested by another respondent we configured the router on the EXT network to block incoming packets from 192.168.0.0/16 - and the alarms stopped immediately. Presumably that means there's a code red worm running somewhere else which just happens to be attacking our 217.9.X.Y address. -- Graham > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Brian Campbell > Sent: 31 August 2001 03:29 > To: [EMAIL PROTECTED] > Cc: Gb-Users@Gta. Com > Subject: Re: Spoof ?? > > > --------------------- Attention ----------------------------- > A digest version of this list is now available. > Send email to [EMAIL PROTECTED], with the following message: > subscribe gb-users-digest your_email_address > Then unsubscribe from this list. > ------------------------------------------------------------- > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > Send postings to: [EMAIL PROTECTED] > Access the list archives at: http://www.gnatbox.com/gb-users/ > ------------------------------------------------------------- > What you may be seeing is the Code Red II Worm in action. > The clue is the port 80 target. > Have a look at Steve Gibson's site for a good analysis and more links. > http://grc.COM/codered/codered.htm > > I have seen thousands of rejected packets to port 80 this month. Have > from time to time seen spoofs from 192.168.0.xxx to my gnatbox EXT > address, since my home network uses 192.168.0.xxx It may not be too > surprising that you could get the Code Red II worm causing a spoof > alarm. > > -- > --------------------------------------------------------------------- > Brian Campbell > Edmonton, Alberta > mailto:[EMAIL PROTECTED] > --------------------------------------------------------------------- > > Graham Jones wrote: > > > > --------------------- Attention ----------------------------- > > A digest version of this list is now available. > > Send email to [EMAIL PROTECTED], with the following message: > > subscribe gb-users-digest your_email_address > > Then unsubscribe from this list. > > ------------------------------------------------------------- > > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > > Send postings to: [EMAIL PROTECTED] > > Access the list archives at: http://www.gnatbox.com/gb-users/ > > ------------------------------------------------------------- > > We see lots of alarms like this: > > > > ALARM NO: 47 > > DATE: Wed 2001-08-29 09:06:24 GMT > > TIME: 09:06:24 > > INTERFACE: EXTERNAL (fxp1) > > INTERFACE TYPE: External > > ALARM TYPE: Possible spoof > > IP PACKET: TCP [192.168.100.100/1537]-->[217.9.192.38/80] l=0 f=0x2 > > DETAILED DESCRIPTION: > > Return interface for IP packet is different than arrival. > > > > The apparent return address 192.168.100.100/1537 is always the > same. The > > return port number changes from time to time. I think the > alarm is telling > > me that a packet has arrived on the external interface > (IP=217.9 etc) which > > should be returned to 192.168.100.100 - is this correct? > > > > We know that 192.168.0.0/16 is reserved for private use and is > not routed > > over the Internet. > > > > Specifically the address 192.168.100.100 is actually present on the > > Protected network - but the GB1000 continues to report spoofs when this > > machine is shut down. > > > > The destination address for the packet 217.9.192.38/80 does not actually > > exist - but the network 217.9.192.0 mask 21 is the DMZ and > there are some > > machines on it. From day to day the destination address > changes within the > > network 217.9.192.0 mask 21. > > > > The alarms are set to report anything more than 60 spoofs in > 480 seconds - > > and we see about 300 alarms per day. > > > > What is going on? Is this simpply an attempt at denial of > service? Or are > > they trying to compromise the machines on the DMZ (or the machine in the > > protected network) in some other way? If so, how? > > > > Any ideas would be most welcome. > > > > Regards, > > > > -- Graham Jones > > Linnet Solutions Ltd. > > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > 01953 717605 or > > 077 74 894200 > > > > > > ---------------------------------------------- > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe gb-users your_email_address > > in the body of the message > ---------------------------------------------- > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe gb-users your_email_address > in the body of the message >
