I am administering two firewalls, and I get a high number of spoofing
attempts from the inside of the network, in other words external IP
addresses in our internal network. We have done a lot of research into this
problem, and we believe most of this traffic is benign, we have not notice
any malicious activity.
I feel that a lot of this traffic is due to incorrectly configured
workstations or laptops. For instance, I plugged in an unconfigured NT
workstation onto my test environment and I got the an entry in my log file
of the address "220.127.116.11 " trying to go through the firewall. Naturally, the
firewall thought this was spoofing.
I would appreciate knowing what other people think about internal spoofing,
am I right to think most of this is due to mis-configurations, and how many
entries would be an "industry standard" for this type of traffic.
Norman J. Morrow