detecting spoof attempts
dave madden
dhm@mersenne.com
Fri, 1 Oct 1999 09:09:29 -0700
I have a rule in my firewall to drop packets that come from 10.x.x.x,
which is one of the RFC-1918 private addresses. I believe that I
shouldn't see such packets on my outside interface. However, I have
64 hits on my filter:
Oct 1 09:03:57 detox kernel: SPOOF!IN=eth0 OUT= SRC=10.10.12.231 DST=63.193.149.175 LEN=40 TOS=0x00 TTL=53 ID=42180 PROTO=TCP SPT=80 DPT=36633 SEQ=3201852836 ACK=2574307187 WINDOW=32752 RES=0x000000 ACK FIN URGP=0
The SRC address (!) is changing: I have packets from addresses between
10.10.12.227 and 10.10.12.233, all s-port 80, d-port 366xx.
Does anybody know what this might mean? I don't think I have any way
to trace it back (except one router at a time, with all the attendant
red tape).
d.