IP spoof attack?

[HIESLanMan]

I think I may be under attack. My ISA server has been giving me lots and lots of messages for a couple weeks saying that it’s getting pad packets, which may indicate an IP Spoofing attack. I had largely ignored the messages because I figured I just had a bad configuration somewhere (I just set up this server as a backup to a MS Proxy server). But after looking more closely at the logs and doing some more reading, I think I may have an actual attack. I keep getting messages in Event Viewer like the following:

[quote] The ISA Server services cannot create a packet filter 208.185.101.168.
This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict. <hr></blockquote>

[quote] ISA Server detected a spoof attack from Internet Protocol (IP) address 208.255.29.200. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped
packets is set, you can view details in the packet filter log. <hr></blockquote>

These come from two or three addresses, and the address change every day or so. The attacks are concentrated during varying time periods. E.g., 2-24 I was flooded with these messages between 1:33 pm and 1:54 pm, and again at 11:58 pm and 2:55 am. On 2-23 I got them from 8:18 pm to 8:29 pm, from 12:44pm to 1:19 pm, and for varying lengths around 9:40 am, 7:30 am, and 2:40am. I also got them pretty much continuously between the 21st and the 22nd.

I’m not absolutely sure this is the result of an attack, rather than some configuration error. But it sure would explain the big spikes in usage! My next step: hit my Cisco books again and make an access list to stop inside addresses coming from the outside, and outside addresses coming from the inside.

Has anyone had any experience with this, or ideas that might help? My network is at a crawl right now, and I'd really like to get it back up and useful again.

[ilovetheusers]

Assuming that this machine is the one the attack is coming from a tracert shows the following:

8 10 ms 10 ms 9 ms POS5-1.BR1.NYC9.ALTER.NET [204.255.169.93]
9 11 ms 10 ms 9 ms 0.so-5-2-0.XL1.NYC8.ALTER.NET [152.63.19.54]
10 10 ms 11 ms 9 ms 0.so-1-0-0.TL1.NYC8.ALTER.NET [152.63.0.137]
11 53 ms 30 ms 31 ms 0.so-5-1-0.TL1.CHI2.ALTER.NET [146.188.163.169]

12 145 ms 119 ms 51 ms 0.so-2-0-0.XL1.CHI2.ALTER.NET [152.63.67.126]
13 37 ms 31 ms 56 ms 0.so-7-0-0.XR1.CHI2.ALTER.NET [152.63.67.130]
14 43 ms 41 ms 72 ms 193.at-2-0-0.XR1.CMH2.ALTER.NET [152.63.66.206]

15 47 ms 44 ms 45 ms 189.ATM5-0.GW2.CMH2.ALTER.NET [152.63.66.137]
16 49 ms 43 ms 48 ms abercrombie-gw.customer.alter.net [157.130.126.70]
17 55 ms 42 ms 51 ms 208.255.29.200

So it looks like a machine on that network is trying to do something with your server but I honestly don’t know what but it looks like an exploit meant to get in or to DOS you. The fact that you get a message stating that it is an exploit would indicate that it is an attack. Again – I am not 100%

208.255.29.200 is a machine on the net and is hosted by worldcom/uunet. It is the website for Abercrombie and Fitch. <a href="http://208.255.29.200/" target="_blank">http://208.255.29.200/</a> Perhaps the machine is compromised and is being used as a platform to attack your network. I really wish I knew more and could give you more help. As it is a known server I would not go about trying to do anything not legal to stop the attack. Contact the webmaster and see if they can tell you anything and contact the webmaster of <a href="http://www.alter.net" target="_blank">www.alter.net</a> and give them the tracert of the attacking IP. If they care as much as other ISP’s they will do nothing.

I think that you can configure the router to “not accept” packets of certain types to filter this sort of traffic.

[Matridom]

[quote] The ISA Server services cannot create a packet filter 208.185.101.168.
This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict. <hr></blockquote>

This is something YOU NEED to fix.. basicly, ISA server has a list of IP's that are on the public netowrk (I.E. internet) and a list of IP's that are private (I.E. your network). This error occurs when you have an IP in your LAT (Local Address Table) that is NOT in your internal network. I would recommend rebuilding your LAT in the ISA manager, review what IP's are on it. Make sure that you EXTERNAL nic is NOT chosen when building the list..

[ilovetheusers]

I forgot to mention the mantra - update everything with the latest service packs and the latest security updates from M$!

[HIESLanMan]

[quote] This is something YOU NEED to fix.. basicly, ISA server has a list of IP's that are on the public netowrk (I.E. internet) and a list of IP's that are private (I.E. your network). This error occurs when you have an IP in your LAT (Local Address Table) that is NOT in your internal network. I would recommend rebuilding your LAT in the ISA manager, review what IP's are on it. Make sure that you EXTERNAL nic is NOT chosen when building the list.. <hr></blockquote>

I'm not in front of my server now, so I can't double-check, but I think I've only got my local addresses in my LAT (192.168.x.x, 127.0.0.1). That's the way I remember seeing it, but it's certainly an easy thing to check. I hope it's that easy!
Thanks for doing the tracert. I hadn't even gotten that far, as my mailserver ran out of space just as I was beginning research (Okay, time to set up some alerts as well. Live and learn).
If it is an attack, I should be able to stop it at the router with an access list, although this still might have the effect of a DOS. If so, our ISP should be able to stop it at THEIR router, if I can get past tier I support. Thanks everyone!