ISA Intrusion attempted

garpal · Apr 15, 2003

I occassionally get these messages, and most come from larger networks, but today I got one from a 192.168 IP address, which I believe should be someone's internal network. Any clue to the seriousness, or how this address could be the source? Has anyone seen this from this type of address before?

---
ISA Server detected an Internet Protocol (IP) half-scan attack from IP address 192.168.0.101.
---

Thanks in advance

SgtB · Apr 24, 2003

Its called IP spoofing.
When the person fakes the source IP to an address that is not their own. This is done for (D)DOS attacks and such.
For example...
I want to scan your network, but I don't want you to know its me. So I can use a feature in nmap (popular port scanning tool) called a decoy list. It will send a scan from my mamchine to yours. Now you'll see my IP scanning your IP. If I use a decoy list it will send many more scans using spoofed IPs. So it will look like a alot of people are scanning, making it harder for you to find the real attacker.

See what I mean? If not...
Article on Spoofing:

http://securityfocus.com/infocus/1674

Cool upcoming game! Check it out!

http://www.planetside-universe.com

!

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

ISA Intrusion attempted

garpal

Technical User

SgtB

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor