Re: Eventid 15108... spoof address ????
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Thu, 08 Dec 2005 09:33:03 GMT
Hi Maxibo,
Thanks for your reply.
I am appreciated your time on the issue and I look forward to hearing from
you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Maxibo" <totallyanon@xxxxxxxxx>
| References: <uBNKst4#FHA.2264@xxxxxxxxxxxxxxxxxxxx>
<J2HRBW6#FHA.3764@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Eventid 15108... spoof address ????
| Date: Thu, 8 Dec 2005 07:53:04 -0000
| Lines: 178
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <e7Z6sx8#FHA.360@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: host217-34-35-237.in-addr.btopenworld.com 217.34.35.237
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:228642
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hello Crina, many thanks for the informative reply. I will review /
| implement today and let you know my findings.
|
| Thanks again
|
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:J2HRBW6%23FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Maxibo,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > From your problem description, I understand this issue to be: you get
the
| > Warning event 15108 on your SBS 2k3 machine with ISA 2004. If I have
| > misunderstood your concerns, please do not hesitate to let me know.
| >
| > Basically, the ISA server identifies the spoof attacking according to
the
| > routing table and the LAT (for ISA 2004 server, it's the address range
of
| > the internal network object). If the ISA server receives a package with
an
| > internal IP as source address from the external port, the package would
be
| > treated as a spoof attack. For a normal ISA server, the event just
reports
| > the blocked intrusions.
| >
| > Please open the ISA management console, navigate to
| > Configuration->Networks, on the middle pane, double click the Internal
| > object, go to the Addresses tab, is the correct address range listed?
| > Please delete any irrelevant entries. Then click Apply to save the
| > settings.
| >
| > Also, can you tell me if the IP address recorded in the event log is
one
| > of
| > the IP address of the internal client?
| >
| > Since the SBS server is connecting to the internet, it's expected that
the
| > server could receive some spoof attacks from the internet. The ISA
server
| > is a firewall product. The potential attacking packages would be
blocked
| > by
| > the ISA server. With the alert function enabled, the attacking
activities
| > are logged in the event log. You may also see the blocked packages
through
| > the firewall log.
| >
| > In most cases, the 15108 spoof attack event is normal for an ISA
computer.
| > If you receive many alerts from a consistent public IP address, you may
| > need to contact the ISP and let them block the particular host. You may
| > also report the attacker's address to your local security or legal
agent.
| >
| > This behavior may also occur if both of the following conditions are
true:
| >
| > - The internal network adapter on the ISA Server computer points to a
| > default gateway address that is on the internal network.
| > - The network adapter on the server that has the published resource
points
| > to the same internal default gateway address as the ISA Server computer.
| >
| > To resolve this behavior, please perform the following steps:
| >
| > 1. Double check if you have removed the default gateway address on the
| > internal network adapter of the ISA Server computer. For ISA Server to
| > function correctly, the internal network adapter should not have a
default
| > gateway specified.
| >
| > 1) Click "Start", point to "Settings", and then click "Network and
Dial-up
| > Connections".
| > 2) Right-click the internal adapter, and then click "Properties".
| > 3) Click "Internet Protocol (TCP/IP)", and then click "Properties".
| > 4) Remove the default gateway address in the "Default gateway" box, and
| > then click "OK" two times.
| >
| > 2. If there are other internal networks that send and receive traffic
| > through the ISA Server computer, use the route add command with the -p
| > switch to add a persistent static route to each internal network. When
you
| > specify the gateway address, point to the internal router that permits
| > access to the other internal networks. Configure persistent static
routes
| > on the internal adapter of the ISA Server computer and on the server
that
| > has the published resource. For more information about how to use the
| > route
| > command, type route /? at a command prompt.
| >
| > 3. On the server that has the published resource, configure the default
| > gateway address to point to the internal address of the ISA Server
| > computer.
| >
| > 1) Click "Start", point to "Settings", and then click "Network and
Dial-up
| > Connections".
| > 2) Right-click the internal adapter, and then click "Properties".
| > 3) Click "Internet Protocol (TCP/IP)", and then click "Properties".
| > 4) In the "Default gateway" box, type the internal address of the ISA
| > Server computer, and then click "OK" two times.
| >
| > 4. Please rerun the CEICW again to configure ISA as default settings.
| > Please refer to the following KB article:
| >
| > 825763 How to configure Internet access in Windows Small Business Server
| > 2003
| > http://support.microsoft.com/?id=825763
| >
| > For more info, please refer to:
| >
| > 888042 ISA Server 2004 does not support traffic redirection
| > http://support.microsoft.com/?id=888042
| >
| > 884496 Client computers cannot access external resources, and event ID
| > 14147
| > http://support.microsoft.com/?id=884496
| >
| > 840681 Attempts to access published resources are logged as spoof
attacks
| > with
| > http://support.microsoft.com/?id=840681
| >
| > Besides, please check the following:
| >
| > 1. Check to see if a WINS server is listed on the WINS tab of TCP/IP
| > properties for existing External network adapters. If there is remove
it.
| > 2. Please disable NetBIOS over TCP/IP on the External adapter from
| > External
| > Connection Properties\TCP/IP properties\Advanced\Wins tab.
| > 3. Updated the NIC drivers.
| >
| > Please do not hesitate to let me know if you have any questions or if
you
| > need further assistance.
| >
| > I am appreciated your time and look forward to your reply.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | From: "Maxibo" <totallyanon@xxxxxxxxx>
| > | Subject: Eventid 15108... spoof address ????
| > | Date: Thu, 8 Dec 2005 00:07:45 -0000
| > | | Newsgroups: microsoft.public.windows.server.sbs
| > | |
| > | ISA Server detected a spoof attack from Internet Protocol (IP) address
| > 169.254.142.51. A spoof attack occurs when an IP address that is not
| > reachable via the interface on which the packet was received. If logging
| > for dropped packets is set, you can view details in the packet filter
log.
| > | Found the mentioned IP in DNS settings and just trying to understand
| > what
| > is happening ?
| > | Any one got any ideas.
| > | Cheers
| > |
| >
|
|
|
.
- References:
- RE: Eventid 15108... spoof address ????
- From: "Crina Li"
- Re: Eventid 15108... spoof address ????
- From: Maxibo
- RE: Eventid 15108... spoof address ????
- Prev by Date: Re: SBS2003 Backup and Dell PowerVault 100T DAT 72 tape drive
- Next by Date: Re: VPN Security...
- Previous by thread: Re: Eventid 15108... spoof address ????
- Next by thread: Re: Eventid 15108... spoof address ????
- Index(es):
Relevant Pages
|
