RE: [FW1] Urgent. I'm under attack

Tue, 01 Aug 2000 21:19:07 -0700 


If I read your original message:
>The Source is an internal IP.
and
>I'm sure that IP spoofing is correct configured.
then you are telling us that the packets are coming from behind your
firewall.  If they are not then your IP spoofing is incorrect.  If they are
coming from behind your firewall, then you probably can track the large
number of packets coming from a "compromised" PC by looking at your hubs.
The smarter hubs will show you real time traffic reports per port.  If it is
a dumb hub then the blinking lights will help you find the "compromised" PC.
Good Hunting,
Mike Perry

> -----Original Message-----
> From: Martin H Hoz-Salvador [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 01, 2000 2:24 PM
> To: Jarmoc, Jeff
> Cc: 'Andre Toussaint'; 'Dirk Boenning'; 'Firewall-1 Mailing list'
> Subject: Re: [FW1] Urgent. I'm under attack
> 
> 
> 
> "Jarmoc, Jeff" wrote:
> > 
> > I'd take this a step further, see if your upstream provider 
> can block the
> > IPs.  Blocking them yourself keeps them from hitting your 
> network, but they
> > still traverse your circuit.
> 
> That's the first step.
> 
> For the second step I suggest to review your IP Spoofing 
> configuration.
> Usually the most simple configuration is having "This net" 
> for internal
> interface and "Others" for external interface.
> 
> About the connections? What kind of connections are? (ICMP/TCP/UDP) 
> What ports are being used? (telnet, 31337, 12345,  ... ? ) 
> 
> It's very important also to notify the destination network manager 
> (use WHOIS database or SOA records in DNS) that you're not the real
> origin for such attack and that He/She must verify their firewall/IDS
> records in order to try to protect their network also...
> 
> Regards.
> 
> -- M. Hoz
> 
> 
> ==============================================================
> ==================
>      To unsubscribe from this mailing list, please see the 
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
> 


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to