Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 2 subscribers
  • Views 3995 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Constant steam of spoofed packets

mrainey
Looking at packet filter live log I see a stream of spoofed packets from a variety of IP/ports to a variety of IP/ports. I started looking because 2 Vista PC's and 1 WIn7 PC suddenly think they have only local network access, no Internet, plus 1 PC this morning got a Koobface infection. I have shut it down and a system wide scan shows no other infections. But, I don't know what all of these spoofed packets mean.


This thread was automatically locked due to age.
Parents
  • 0
    Spoofing is set to Normal. Here are some records from the packet filter log: I zero'd the mac addresses, but each spoof is from aand to a different mac/ip

    2010:07:28-00:00:16 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="00000000000" srcmac="00000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="67" dstport="68" 
    2010:07:28-00:00:16 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="00000000000000" srcmac="0000000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="67" dstport="68" 
    2010:07:28-00:00:17 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="0000000000000" srcmac="000000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="276" tos="0x00" prec="0x00" ttl="64" srcport="68" dstport="67" 
    2010:07:28-00:00:20 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="000000000000" srcmac="000000000000000" srcip="10.9.x.x" dstip="192.168.x.x" proto="1" length="44" tos="0x00" prec="0x00" ttl="255" type="8" code="0"
Reply
  • 0
    Spoofing is set to Normal. Here are some records from the packet filter log: I zero'd the mac addresses, but each spoof is from aand to a different mac/ip

    2010:07:28-00:00:16 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="00000000000" srcmac="00000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="67" dstport="68" 
    2010:07:28-00:00:16 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="00000000000000" srcmac="0000000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="328" tos="0x00" prec="0x00" ttl="128" srcport="67" dstport="68" 
    2010:07:28-00:00:17 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="0000000000000" srcmac="000000000000" srcip="10.9.x.x" dstip="255.255.255.255" proto="17" length="276" tos="0x00" prec="0x00" ttl="64" srcport="68" dstport="67" 
    2010:07:28-00:00:20 HotardNO ulogd[3291]: id="2005" severity="info" sys="SecureNet" sub="packetfilter" name="IP spoofing drop" action="IP spoofing drop" fwrule="60008" seq="0" initf="eth4" dstmac="000000000000" srcmac="000000000000000" srcip="10.9.x.x" dstip="192.168.x.x" proto="1" length="44" tos="0x00" prec="0x00" ttl="255" type="8" code="0"
Children
No Data