> Unless I've overlooked something, PMs seem to lack any aids for
> determining which user is spoofing his source IP address.
>
> Twice recently we've had users attempt DOS attacks on sites off our
> network using spoofed source addresses. We filter (and log) to
> prevent anything with a bogus source IP from leaving our network, so
> users trying this don't accomplish anything, but I'd like to catch
> them anyway. While it's easy to know what box they're on, finding
> what port they're on is frustratingly difficult.
>
> I caught one with a lucky guess and a radius filter, but the other is
> still out there somewhere.
(1) Create basically the same filter you are using on your outbound router
already (the router that you have that is filtering source spoof attempts
already) on each one of your PMs but in reverse--e.g. change the permits
to denys (you'll see why next) and visa-versa.
(2) Using that filter do a "ptrace <filter_name> extended" which will show
you the interface the packet came in on.
-jr
----
Josh Richards - <jrichard@livingston.com> - <josh@lucent.com>
[Beta Engineer] - LUCENT Technologies - Remote Access Business Unit
<URL:http://www.livingston.com/> * <URL:http://www.lucent.com/dns/>
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>