Protocol type 54 is the Next Hop Resolution Protocol
>From the Cisco Manuals on Configuring IP:
"NHRP provides an ARP-like solution that alleviates these NBMA network
problems. With NHRP, systems attached to an NBMA network can dynamically
learn the NBMA address of the other systems that are part of that network.
These systems can then directly communicate without using an intermediate
hop, which reduces traffic.
With NHRP, once the NBMA next hop is determined, the source can either start
sending IP packets to the destination (in a connectionless NBMA network such
as SMDS) or first establish a connection to the destination with the desired
bandwidth and quality of service (QOS) characteristics (in a
connection-oriented NBMA network such as ATM)."
> -----Original Message-----
> From: simon [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, May 09, 1999 9:04 PM
> To: firewalls
> Subject: intrusion via IP options and spoofing
>
> Hi,
>
> my network has been constantly under heavy intrusion
> recently and is giving me a big headache.
>
> My firewalls reported possible intrusiong via
> ipoptions.
> it reported the protocol used as 54 ( not TCP or UDP )
> and without any source port.
>
> Could it be a diagnostic program running IP options ?
> What are the possibilties and dangers ?
>
> There is also spoofing attempt by using fake ips e.g. 192.168.0.x
> protocol used is udp and source port is 137 ( a.k.a. nbname )
> going to destination port 137.
> How is this possible, though I'm using NAT within my network
> inside the internal interface of my firewall.
> But the spoofing is coming from the exteranl firewall interface.
>
> Last but not the least, I have probing as well.
>
> In some cases of probing and ip options, I have the ip address
> of the perpetrator.
>
> What should I do ?
>
> Any advice will be most appreciated.
>
> TIA.
>
> Best Regards,
>
> Simon
> Network Administrator
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
