You haven't really given us much to go on -- no clue what the
address range is, whether there are other machines on it, what
make/model/version VPN it is, whether it's being used to provide site-
to-site connectivity or remote individual connectivity. Not even
what the geographical region is.
In fact, we can't even tell wheter you're seeing outbound packets,
or inbound packets apparently trying to reply to outbound traffic
that shouldn't and doesn't exist.
Sure, it could be a smurf attempt, or side-effects of someone
spoofing you as the source address. (There are a couple of ways a
spoofer might be managing to sniff the return traffic.)
But it could just as easily be one of your own users with an
incorrect default gateway set, or perhaps leakage of route
information for this link to other routers within your
organization....
David Gillett
On 15 Jun 2001, at 8:17, Norris, Wayne wrote:
> Hi,
>
> Can anyone shed some light on the following.
>
> We have multiple connections to the internet, One of which is used purely as
> a VPN connection. It is not used for Mail, browsing etc etc. I recently
> noted some strange activity on in the logs on the perimiter router.
>
> IP addresses supposedly coming from our registered address space assigned to
> this link, are trying to access various remote sites, FTP, WWW, RPC etc.
>
> There is not a great deal of activity like this, but the destinations always
> seem to be in the same geographic areas.
>
> The question is, how are the packets trying to route via this link, if the
> destination addresses he/she is trying to get to are not in any way
> connected to our organisation, and the source addresses are supposedly ours
> ?
>
> And what would be the point, as the traffic back would route to us ?
>
> Could this be part of a DDOS ?
>
> Many thanks
>
> Wayne
>
>
>
>
> EUROPEAN FINANCIAL DATA SERVICES (UK) LTD Tel: +44 1277 84 2700
> ********************** N O T I C E *********************************
>
> This message and any attachments is intended only for the individual or company to
>which it is addressed and may contain information which is privileged, confidential
>or prohibited from disclosure or unauthorised use. If the recipient of this
>transmission is not the intended recipient, or the
employee or agent responsible for delivering such materials to the intended recipient,
you are hereby notified that any use, any form of reproduction, dissemination,
copying, disclosure, modification, distribution and/or publication of this e-mail
message or its attachments other than by it's
intended recipient is strictly prohibited by the sender. If you have received it in
error, please notify us immediately by telephone on the number above and destroy the
message and all copies in your possession.
>
> This footnote also confirms that this email message has been swept by MIMEsweeper
>for the presence of computer viruses.
>
> **********************************************************************
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
