Re: [FW-1] Loopback address spoofing

Subject:	Re: [FW-1] Loopback address spoofing
From:	"Goldoff, Erik" <egoldoff AT HBHAM DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Tue, 24 Feb 2004 13:39:21 -0500

Sounds like the LAN-D attack symptoms

Erik Goldoff
Systems Manager
The HoneyBaked Ham Company




> -----Original Message-----
> From: Mark Pays [mailto:mark.pays AT GTA-TRAVEL DOT COM]
> Sent: Friday, February 20, 2004 1:35 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Loopback address spoofing
> 
> 
> I can see the very same thing happening to one of my 
> firewalls. It looks
> like some kind of attempt to spoof the loopback address. Run 
> a tcpdump and
> use -e to show ethernet source and dest MAC addresses. (I 
> used tcpdump -n -e
> -i eth4c0 host 127.0.0.1). When I did this the packets 
> claiming to be from
> 127.0.0.1 are actually originating from the internet router 
> MAC address. I
> don't think it's of great concern as the firewall is dropping all the
> packets but I'd be interested to hear if anyone knows anymore about it
> though..
> -----Original Message-----
> From: José María Gabaldón [mailto:jgabaldon AT CYBERTECHPROJECTS DOT COM] 
> Sent: 20 February 2004 15:48
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] Loopback address spoofing
> 
> 
> Hi guys,
> 
> I have a little problem, we have a Solaris running Check 
> Point NG FP3, and
> everything works fine. However in the logs we get continously 
> (maybe every
> 20 seconds or so) a drop log message that says:
> Source: localhost
> Destination: FW_EXTERNAL_IP_ADDRESS
> Source port: http
> Action: DROP
> Reason: Loopback address spoofing.
> 
> I guess what does this log entry means, could be some 
> internal hacker trying
> to really spoof the loopback address of the firewall?, or 
> maybe is just a
> misconfiugration?. If so, how can I troubleshoot the problem?
> 
> I hope you can help me, thanks in advance! 
> _______________________________
> 
> José María Gabaldón
> Network Security Engineer
> email: jgabaldon AT cybertech.com DOT ve
> www.cybertech.com.ve
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 
> 
> --------------------------------------------------------------
> ----------------
> The opinions expressed within this email represent those of the
> individual and not necessarily those of Gullivers Travel 
> Associates (GTA).
> 
> This email and any files transmitted with it are confidential 
> and intended solely for the use of the individual or entity 
> to whom they are addressed.
> If you have received this email in error please notify 
> postmaster AT gta-travel DOT com.
> 
> Should you wish to use email as a form of communication, GTA 
> are unable to
> guarantee the security of email content outside of our own 
> computer systems.
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> 
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Loopback address spoofing, José María Gabaldón Re: [FW-1] Loopback address spoofing, Demetrio Leon Guerrero (DLG) Re: [FW-1] Loopback address spoofing, Mark Pays Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Pendergrass, Greg Re: [FW-1] Loopback address spoofing, Covington, Chris Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Lars Higham Re: [FW-1] Loopback address spoofing, Edwin Davidson Re: [FW-1] Loopback address spoofing - explained, Edwin Davidson Re: [FW-1] Loopback address spoofing, Goldoff, Erik <=

Previous by Date:	[FW-1] User Authentication and HTTPS issue, Layne Meier
Next by Date:	Re: [FW-1] Loopback address spoofing, Crist Clark
Previous by Thread:	Re: [FW-1] Loopback address spoofing - explained, Edwin Davidson
Next by Thread:	[FW-1] FW: <No Subject>, Attila Szelezsan
Indexes:	[Date] [Thread] [Top] [All Lists]