Re: Eventid 15108... spoof address ????

Hi Crina

This spoof address is appearing every minute in the event log and damn if I
can find it. Site has recently had SBS SP1 installed.

LAT table has the 192.168.16.2 range.

The 169 address I understand as a pc not obtaining an IP address from a
source i.e DHCP. All pcs are on the network and have a correct IP

I have also seen active sync 4 generating this 169 address, no palmtops
connected on site.

I am still learning ISA 2004, ISA 2000 I could go straight to the firewall
logs, where are they in 2004?...lol

I can view the ' sessions ' in ISA monitoring and this IP doesn't appear at
any time.

169 address is not public so unsure if it is a pc externally? No pcs connect
remotely (except me) Was wondering if it was something to do with RAS but
then the IP appears when I am not connected.

I did find it listed in DNS as an A record and everytime I delete it it
comes back.



""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:J2HRBW6%23FHA.3764@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Maxibo,
>
> Thank you for posting in SBS newsgroup.
>
> From your problem description, I understand this issue to be: you get the
> Warning event 15108 on your SBS 2k3 machine with ISA 2004. If I have
> misunderstood your concerns, please do not hesitate to let me know.
>
> Basically, the ISA server identifies the spoof attacking according to the
> routing table and the LAT (for ISA 2004 server, it's the address range of
> the internal network object). If the ISA server receives a package with an
> internal IP as source address from the external port, the package would be
> treated as a spoof attack. For a normal ISA server, the event just reports
> the blocked intrusions.
>
> Please open the ISA management console, navigate to
> Configuration->Networks, on the middle pane, double click the Internal
> object, go to the Addresses tab, is the correct address range listed?
> Please delete any irrelevant entries. Then click Apply to save the
> settings.
>
> Also, can you tell me if the IP address recorded in the event log is one
> of
> the IP address of the internal client?
>
> Since the SBS server is connecting to the internet, it's expected that the
> server could receive some spoof attacks from the internet. The ISA server
> is a firewall product. The potential attacking packages would be blocked
> by
> the ISA server. With the alert function enabled, the attacking activities
> are logged in the event log. You may also see the blocked packages through
> the firewall log.
>
> In most cases, the 15108 spoof attack event is normal for an ISA computer.
> If you receive many alerts from a consistent public IP address, you may
> need to contact the ISP and let them block the particular host. You may
> also report the attacker's address to your local security or legal agent.
>
> This behavior may also occur if both of the following conditions are true:
>
> - The internal network adapter on the ISA Server computer points to a
> default gateway address that is on the internal network.
> - The network adapter on the server that has the published resource points
> to the same internal default gateway address as the ISA Server computer.
>
> To resolve this behavior, please perform the following steps:
>
> 1. Double check if you have removed the default gateway address on the
> internal network adapter of the ISA Server computer. For ISA Server to
> function correctly, the internal network adapter should not have a default
> gateway specified.
>
> 1) Click "Start", point to "Settings", and then click "Network and Dial-up
> Connections".
> 2) Right-click the internal adapter, and then click "Properties".
> 3) Click "Internet Protocol (TCP/IP)", and then click "Properties".
> 4) Remove the default gateway address in the "Default gateway" box, and
> then click "OK" two times.
>
> 2. If there are other internal networks that send and receive traffic
> through the ISA Server computer, use the route add command with the -p
> switch to add a persistent static route to each internal network. When you
> specify the gateway address, point to the internal router that permits
> access to the other internal networks. Configure persistent static routes
> on the internal adapter of the ISA Server computer and on the server that
> has the published resource. For more information about how to use the
> route
> command, type route /? at a command prompt.
>
> 3. On the server that has the published resource, configure the default
> gateway address to point to the internal address of the ISA Server
> computer.
>
> 1) Click "Start", point to "Settings", and then click "Network and Dial-up
> Connections".
> 2) Right-click the internal adapter, and then click "Properties".
> 3) Click "Internet Protocol (TCP/IP)", and then click "Properties".
> 4) In the "Default gateway" box, type the internal address of the ISA
> Server computer, and then click "OK" two times.
>
> 4. Please rerun the CEICW again to configure ISA as default settings.
> Please refer to the following KB article:
>
> 825763 How to configure Internet access in Windows Small Business Server
> 2003
> http://support.microsoft.com/?id=825763
>
> For more info, please refer to:
>
> 888042 ISA Server 2004 does not support traffic redirection
> http://support.microsoft.com/?id=888042
>
> 884496 Client computers cannot access external resources, and event ID
> 14147
> http://support.microsoft.com/?id=884496
>
> 840681 Attempts to access published resources are logged as spoof attacks
> with
> http://support.microsoft.com/?id=840681
>
> Besides, please check the following:
>
> 1. Check to see if a WINS server is listed on the WINS tab of TCP/IP
> properties for existing External network adapters. If there is remove it.
> 2. Please disable NetBIOS over TCP/IP on the External adapter from
> External
> Connection Properties\TCP/IP properties\Advanced\Wins tab.
> 3. Updated the NIC drivers.
>
> Please do not hesitate to let me know if you have any questions or if you
> need further assistance.
>
> I am appreciated your time and look forward to your reply.
>
> Best regards,
>
> Crina Li (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
> | From: "Maxibo" <totallyanon@xxxxxxxxx>
> | Subject: Eventid 15108... spoof address ????
> | Date: Thu, 8 Dec 2005 00:07:45 -0000
> | | Newsgroups: microsoft.public.windows.server.sbs
> | |
> | ISA Server detected a spoof attack from Internet Protocol (IP) address
> 169.254.142.51. A spoof attack occurs when an IP address that is not
> reachable via the interface on which the packet was received. If logging
> for dropped packets is set, you can view details in the packet filter log.
> | Found the mentioned IP in DNS settings and just trying to understand
> what
> is happening ?
> | Any one got any ideas.
> | Cheers
> |
>


.

Relevant Pages

  • Re: Intermittent Firewall 15108 Events on SBS2003/ISA2004
    ... This newsgroup only focuses on SBS technical issues. ... of |> the internal network object). ... If the ISA server receives a package with an |> internal IP as source address from the external port, the package would be |> treated as a spoof attack. ... |> 825763 How to configure Internet access in Windows Small Business ...
    (microsoft.public.windows.server.sbs)
  • Re: Eventid 15108... spoof address ????
    ... This newsgroup only focuses on SBS technical issues. ... the ISA server identifies the spoof attacking according to ... |> the internal network object). ... |> server could receive some spoof attacks from the internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Eventid 15108... spoof address ????
    ... Microsoft CSS Online Newsgroup Support ... the ISA server identifies the spoof attacking according to ... |> the internal network object). ... |> server could receive some spoof attacks from the internet. ...
    (microsoft.public.windows.server.sbs)
  • RE: Spoof Attack
    ... some spoof attacks from the internet. ... The potential attacking packages would be blocked by the ISA server. ... the 15108 spoof attack event is normal for an ISA computer. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: Intermittent Firewall 15108 Events on SBS2003/ISA2004
    ... Thank you for posting in SBS newsgroup. ... the ISA server identifies the spoof attacking according to the ... the internal network object). ... 825763 How to configure Internet access in Windows Small Business Server ...
    (microsoft.public.windows.server.sbs)
Loading