Firewalls: Spoofing Messages in the Log files

Firewalls
(September 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Spoofing Messages in the Log files
From:	nmorrow @ magi . com (Norman Morrow)
Date:	Mon, 2 Sep 1996 12:26:16 -0400 (EDT)
To:	firewalls @ GreatCircle . COM

I am administering two firewalls, and I get a high number of spoofing
attempts from the inside of the network, in other words external IP
addresses in our internal network.  We have done a lot of research into this
problem, and we believe most of this traffic is benign, we have not notice
any malicious activity. 

I feel that a lot of this traffic is due to incorrectly configured
workstations or laptops. For instance, I plugged in  an unconfigured NT
workstation onto my test environment and I got the an entry in my log file
of the address "1.2.3.4 " trying to go through the firewall.  Naturally, the
firewall thought this was spoofing.  

I would appreciate knowing what other people think about internal spoofing,
am I right to think most of this is due to mis-configurations, and how many
entries would be an "industry standard" for this type of traffic.

Thanks,
Norman J. Morrow

Indexed By Date	Previous:	Please stop From: Sherwin Loudermilk <sherwinl @ . ix . netcom . com>
Indexed By Date	Next:	Re: Please stop From: "Richard Johnson" <rjj @ medialab . com>
Indexed By Thread	Previous:	RE: Please stop From: Gene Lee <genel @ inforamp . net>
Indexed By Thread	Next:	Re: Spoofing Messages in the Log files From: bobk @ manzanita (Bob Konigsberg)