On Jun 11, 7:07pm, Darwin Martinez wrote:
} Subject: Attack?
} I'm consistently seeing the following message on my FW-1.
} netbios_dgm 17.x.x.122 220.127.116.11 upd
} netbios_ns 17.x.x.121 18.104.22.168 upd
} Both of these appear on the "secure" side of the firewall's interface, yet
} my client has NO Class A 17 addresses, only network 10 addresses which I'm
} fwxlconf'ing to their appropriate CLass C for the internet.
Looks like your client has a misconfigured device(s) on their network that
thinks it's address is 17.x.x.x and is sending out broadcasts on the local
network. Time to break out the network sniffer tools.
} When I try to ping the above network 17 address, no luck.
Because the host you're using to send the ping packets thinks the route
to network 17 is out through the firewall.
If you configure another host on your client's network with a network
17 address, then it should be able to talk to the misconfigured device(s).
Maybe you'll get lucky and it will respond to a telnet or ftp connection
with a login banner that contains its name.
From: "Steven Johnson (BUS)" <johnson @