[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    RE: [fw-wiz] Spoofed SMTP _outbound_
From:       Karl Vogel <karl.vogel () seagha ! com>
Date:       2002-01-17 8:29:47
[Download RAW message or body]

If your router is a cisco, then you could add 'log-input' to the ACL. Once
you
do that, it will log the incoming interface and for ethernet it will show
the
MAC address of the source. Once you have the MAC address, you can determin
which
machine is doing the spoofing (if all the machines are connected by Catalyst
switches, you can use  'show mac-address-table address xxxx.xxxx.xxxx' to
find
out to which port the machine is connected to).

Regards,
Karl.

-----Original Message-----
From: Jay Epperson [mailto:jepperso@mail.vak12ed.edu]
Sent: Wednesday, January 16, 2002 22:14
To: firewall-wizards@nfr.com
Subject: [fw-wiz] Spoofed SMTP _outbound_


We're seeing source-spoofed traffic outbound from one of our segments to the
SMTP port on a variety of outside addresses.  The denials are like:

denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets

(not the real network numbers)
Where the source address cycles through all addresses on the IP segment
(1-254) and the destination stays fixed through such a run.  Since the
majority of the source addresses don't actually exist on our network, it
smells like part of a DOS, or a one-way vulnerability attack intended to
open up access to the target from somewhere besides here.  Still working to
capture enough information to identify the actual source platform, but if
anyone can tell us what kind of animal we might be tracking, it could help.
Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX
(ancient).

Thanks for any help.  Apologies in advance if this is an inappropriate
posting for this forum.

regards,
j.
jepperso@mail.vak12ed.edu

_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@nfr.com
http://list.nfr.com/mailman/listinfo/firewall-wizards
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic