impossible IP packet

- R
- rossella
  
  Contact options for registered users
posted
19 years ago

Fri, Mar 18, 2005 1:23 PM

Hi, we have a couple of servers on our network that are sending UDP packets port 137 and 138, NetBIOS, to themselves. The source IP and destination IP is the same and they show up in our IDS as 'impossible ip packets', I'm wondering if you think something on these servers might have been miss configured at one time. They're Windows 2003 servers, one is our PDC and the other is a DHCP server. Thank you for any help you may give.

Rossella Mariotti-Jones

Network Analyst, CCNA

Chemeketa Community College / IT

T 503 589 7775

F 503 399 4898

E snipped-for-privacy@chemeketa.edu

formatting link

- M
- Maxime Ducharme
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Sat, Mar 19, 2005 12:45 AM

Hello

Looks like LAND attacks :

formatting link

Some Win2003 hosts are known to become unresponsive for some seconds upond reception of these LAND attacks.

Configure your external firewalls to drop packets coming from a range that is behind your firewall (spoofed packets), and see if activity continues. If not, that means these packets are not generated by your servers.

HTH

Maxime Ducharme Programmeur / Spécialiste en sécurité réseau

- M
- Maxime Ducharme
  
  Contact options for registered users
Vote on answer
posted
19 years ago

Sat, Mar 19, 2005 2:55 AM

Another important point

A server that sends a packet to itself wont use network media (i.e. cable) to send the packet since it is local.

If the IDS isnt on the same machine, it should not see these packets, so these are likely to come from somewhere else.

It can be Internet, or another server. Try to capture the MAC address and see if it is your router or a server.

Good luck :)

Maxime Ducharme Programmeur / Spécialiste en sécurité réseau