Re: possible causes of source and destination ip from external network

[Mike Frantzen <frantzen () w4g org>]

> What would be the possible causes of the IDS alert that shows source ip and 
> destination ip from external network? Also, why did the router route this 
> packet in the first place?
 
#1 Forged source IP addresses.  Probably someone internal infected with
a UDP based worm or a DoS.

#2 Your DHCP server was on the fritz.  DHCP clients will return to their
last known config if they can't find any DHCP servers on the network.
Typically someone brought their laptop from home or just got back from a
business trip.  The packet shouldn't be routed past the local network in
this case.  Do a reverse lookup or an ARIN whois on the source IP; is it
a DSL/cable provider or a hotel chain?

#3 Someone put their laptop in hibernation on one network and awoke the
laptop on yours.

#4 Older Windows.  I've seen older Windows machines (again, laptops)
mysteriously and spuriously start sending traffic with one of its past
IP addresses (after repeated reboots).  It's been awhile but IIRC it was
sent to the MAC address of the right gateway.


At the least you should make sure you have some type of egress filtering
on your external firewall or router.

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

---------------------------------------------------------------------------

---------------------------------------------------------------------------