IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: possible causes of source and destination ip from external network

From: Tony Rall <trall () almaden ibm com>
Date: Mon, 21 Jun 2004 19:47:46 -0700
On Saturday, 2004-06-19 at 22:09 ZE8, "Annie Green" 
<annie_r_green () hotmail com> wrote:

What would be the possible causes of the IDS alert that shows source ip 

and

destination ip from external network? Also, why did the router route 

this

packet in the first place?


An extremely remote possibility is that source routing was used to direct 
external source traffic through your network (but you really shouldn't be 
allowing source routed packets into your network).  But what is much more 
likely is that you have a machine on your net using the wrong IP address. 
One example of that is a simple misconfiguration (a machine was used on 
some other network and then erroneously connected to your network without 
changing its config).  And then it could be an infected machine spoofing 
the source address.

Tony Rall

---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: