Firewall Wizards: RE: Re: Wayyy too many spoofed packets

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

RE: Re: Wayyy too many spoofed packets

From: Frank Knobbe <frank () knobbe us>
Date: Fri, 21 Nov 2003 23:03:12 -0600

On Fri, 2003-11-21 at 22:52, Chris de Vidal wrote:

So why do I see so many inbound packets from the network coming through
eth0 with my IP?  The only explaination that makes sense is a router
somewhere rebroadcasting packets...


Those are packets FROM your IP for the network. They're not spoofed,
your box sends them to the network. 

+-------+   +----+
|You Box|---|eth0|---> network
+-------+   +----+

172.19.2.200 -> 172.19.255.255

netfilter logs that packet that is trying to leave your box. There is no
spoofed packets.

If you turn your box off, and use a different machine with tcpdump,
sniff the traffic and STILL capture packets with the turned off IP
address, then I believe you have spoofed packets floating around :) 
Until then, the way I see your description is that you are
logging/blocking VALID packets FROM your box to the network.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

By Date By Thread

Current thread:

Re: Wayyy too many spoofed packets, (continued)
- Re: Wayyy too many spoofed packets Chris de Vidal (Nov 21)
  - Re: Wayyy too many spoofed packets Frank Knobbe (Nov 21)
- RE: Re: Wayyy too many spoofed packets Bill Royds (Nov 21)
  - RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
    - RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 23)
    - RE: Re: Wayyy too many spoofed packets Frank Knobbe (Nov 23)
  - RE: Re: Wayyy too many spoofed packets Daniel Linder (Nov 25)
    - RE: Re: Wayyy too many spoofed packets Chris de Vidal (Nov 25)