I get these all the time, too. In our case, it is because we have a W2K machine
behind a GB-1000 providing VPN to an internal network. When a remote user is VPN'd to
the W2K machine, the reply to any probe hitting the remote user's machine is routed
through the VPN tunnel. The W2K machine then attempts to forward the packet to the
Internet. The source address is the address the remote user's ISP assigned to his
machine. The destination address is the address of the probing machine.
Don't know that this is your situation, but it doesn't hurt to mention it.
--- Original Message -----
From: M Pilletere
To: [EMAIL PROTECTED]
Sent: Wednesday, May 15, 2002 9:26 AM
Subject: [gb-users] Problem with spoofing alarms
Hi,
I have been getting tons of this type message over past 2 weeks. Prior I
only got 1 or 2 a month. None or most of the addresses are not on my
network nor my ISPs. Any insight would be helpful.
Mike
ALARM NO: 1
DATE: Wed 2002-05-15 10:12:47 EDT
INTERFACE: PSN (fxp2)
INTERFACE TYPE: Private service network (PSN)
ALARM TYPE: Possible spoof
IP PACKET: TCP [208.61.162.43/6346]-->[213.121.89.86/39932] l=0
f=0x14
[adsl-61-162-43.mco.bellsouth.net/6346]-->[host213-121-89-86.in-addr.btopenw
orld.com/39932]
DETAILED DESCRIPTION:
Return interface for IP packet is different than arrival.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/[email protected]
