Security Basics mailing list archives
Re: **SPAM** Re: Please help with this strangeness
From: Michael Thompson <mike () thompsonmike co uk>
Date: Fri, 16 Jan 2004 19:07:31 +0000
Hello JGrimshaw, On Thu, 15 Jan 2004, at 12:31:14 [GMT -0600] (which was 18:31 in my TimeZone) you wrote:
It would seem that if .69 is sending out these pings, which you say is the router.
Correct.
There would appear to be something else going on, so I am guessing you have private addresses internally and they are being NATed?
That is correct, every machine runs thru NAT.
How is the router connected?
How do you mean? It is a Linux box connected to a ADSL modem. Just noticed in the ADSL modem config (DLink DSL-300G+) it lists the following info: IP Address: 81.174.224.69 Gateway: 81.174.224.70 Dont know if that matters.
I do not understand how the IP address of the router is connecting to anything other than a point-to-point (if my /30 suggestion is true, which it probably is not) with another IP in the same range. You have said the .70 is associated with another server that is not in use, so my guess is that the router is not connected to it. So I am not sure what to think about that--can you provide more details? Make up numbers if you like, or use x.x.x.x and depict subnets.
Internal Subnet is 255.255.255.0 Private address in ranges of 192.168.1.0/24
If the router has this .69 address, I would expect then that everyone is being NATed to use that address to access the internet? Are you using NAT overload?
They are using NAT, yes, but I am not sure that it is overload. Dont really understand that.
If this is the case, you may wish to sniff the internal segment and see where the ICMPs are coming from--having an IDS on the outside will not determine the internal source IP address, just the NATed one.
I have run snort internally as well, and ethereal, and they have not picked up on this. Seems to be truley external. -- Best regards, Michael http://www.thompsonmike.co.uk/ PGP KeyID := 0xA9547E32 How come wrong numbers are never busy?
Attachment:
_bin
Description:
Current thread:
- Please help with this strangeness Michael Thompson (Jan 15)
- RE: Please help with this strangeness David Gillett (Jan 15)
- Re: Please help with this strangeness JGrimshaw (Jan 15)
- Re: **SPAM** Re: Please help with this strangeness Michael Thompson (Jan 16)
- RE: Please help with this strangeness Burton M. Strauss III (Jan 16)
- <Possible follow-ups>
- RE: Please help with this strangeness Shawn Jackson (Jan 15)
- Re[2]: Please help with this strangeness Michael Thompson (Jan 16)