Re: Am I being attacked?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Without seeing the details of the packet log, I'd initially say that ISA is
doing it's job.

/kj

"BoboTWG" <bobotwg@xxxxxxxxxxxxxxxxxxx> wrote in message
news:38exf.268$nT6.193@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> "/kj" <kj@xxxxxxxxxxx> wrote in message
> news:u4pbG9uFGHA.2472@xxxxxxxxxxxxxxxxxxxxxxx
>> Maybe if you posted the exact event log entries that concern you a more
>> direct approach can be used?
>
> OK. Here it goes.
>
> Source: Microsoft Firewall
> Catagory: Packet Filter
> Type: Warning
> Event ID: 15108
>
> Description:
> ISA Server detected a spoof attack from the Internet Protocol (IP) address
> 10.0.0.160. A spoof attack occurs when an IP address that is not reachable
> via the interface on which the packet was received. If logging for dropped
> packets is set, you can view details in the packet filter log.
>
> The IP addresses vary. This is just the latest one.
>
> Aaron
>>
>> /kj
>> "BoboTWG" <bobotwg@xxxxxxxxxxxxxxxxxxx> wrote in message
>> news:SOdxf.189$nT6.114@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>
>>> "Lanwench [MVP - Exchange]"
>>> <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>>> message news:eU4ZYfuFGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>>>> "BoboTWG" <bobotwg@xxxxxxxxxxxxxxxxxxx> wrote in message
>>>> news:FUbxf.15$or4.13@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>
>>>>> "Lanwench [MVP - Exchange]"
>>>>> <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>>>>> message news:eHotDVtFGHA.984@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>
>>>>>> "BoboTWG" <bobotwg@xxxxxxxxxxxxxxxxxxx> wrote in message
>>>>>> news:pwaxf.49805$BZ5.46334@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> Hello. Had mucho problems last week when SBC went to upgrade our
>>>>>>> speed package on our DSL line. We were down for a couple of days due
>>>>>>> to them deciding to change our static IP addresses without our
>>>>>>> knowledge. It also turned out that we were dopping tons of packets
>>>>>>> but that was supposedly fixed when we did not route the DSL line
>>>>>>> through our UPS/Surge protector. I am noticing that I am still
>>>>>>> getting some "spoof attack" warnings in my event viewer. Is there
>>>>>>> any way to tell if this is caused by more hardware issues or if I am
>>>>>>> really getting attacked? Thanks in advance.
>>>>>>>
>>>>>>> Aaron
>>>>>>>
>>>>>>
>>>>>> You aren't using public IPs on your internal network for some reason,
>>>>>> are you? Nothing on your LAN should have changed just because your
>>>>>> public IP address changed.
>>>>>>
>>>>>> Do you run SBS Standard, or Premium w/ISA? If the former ,what kind
>>>>>> of firewall are you connecting to (between your DSL modem and your
>>>>>> LAN-connected computers)?
>>>>>>
>>>>>
>>>>> Hi Lanwench. Thanks for the reply. Going to copy and paste your
>>>>> questions with my answers below to save me confusion.
>>>>>
>>>>> -You aren't using public IPs on your internal network for some reason,
>>>>> are you?
>>>>>
>>>>> Nope. My internal IP addresses are all 192.168.16.*
>>>>
>>>> Great....that is a good thing.
>>>>>
>>>>> -Nothing on your LAN should have changed just because your public IP
>>>>> address changed.
>>>>>
>>>>> Internal I was still up and running but could not hit the outside
>>>>> world and Exchange was down.
>>>>
>>>> "Exchange was down" means that it had no Internet connectivity but was
>>>> still fine for internal users?
>>>
>>> Yep, good for internal users. Not for external use.
>>>
>>>>>
>>>>> I am running SBS Premium w/ISA etc. Just using the built in firewall
>>>>> for now. The customer does not want to spring for more until they feel
>>>>> it is really needed.
>>>>
>>>> So you're using ISA, then, right? Not just the Windows firewall?
>>>
>>> Yep, ISA only.
>>>
>>> BoboTWG
>>>
>>>>>
>>>>> Thanks again. I look forward to your reply.
>>>>>
>>>>> Aaron
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: NAT Router restricted by RADIUS
    ... authentication token sent to my RADIUS server. ... device/utility such as what ISA is capable of along with the firewall client ... For it to examine each packet, then make a decsion on how to handle each ... The firewall client and ISA being in Firewall ...
    (microsoft.public.windows.server.general)
  • Re: Microsoft Web Proxy Event ID: 14120
    ... The ISA Server services cannot create a packet filter 170.xxx.xxx.xxx. ...
    (microsoft.public.isa)
  • Re: NAT Router restricted by RADIUS
    ... determine which packets should be passed from the internal network ... think you can get RRAS to do what you're asking. ... device/utility such as what ISA is capable of along with the firewall client ... For it to examine each packet, then make a decsion on how to handle each ...
    (microsoft.public.windows.server.general)
  • RE: 0x0040017 FWX_E_TCP_NOT_SYN_Packet_Dropped
    ... Where 192.168.2.1 is the internal IP of the ISA box. ... Enabel web proxy clients is checked on and marked as port 8080. ... we only know that a TCP_SYN packet is dropped by ISA. ... > connection, this indicates an attempt to create a TCP connection is dropped. ...
    (microsoft.public.isa)
  • Re: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED
    ... All TCP sessions should begin with a TCP-SYN packet and this one didn't do that. ... It's a classic technique for OS and application fingerprinting that fails miserably against an ISA server. ... it's a non-issue unless you see a lot of these from a particular host. ...
    (microsoft.public.isaserver)