From owner-freebsd-security Mon Nov 15 3:42:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from sanson.reyes.somos.net (freyes.static.inch.com [207.240.212.43]) by hub.freebsd.org (Postfix) with ESMTP id 1D73014F70 for ; Mon, 15 Nov 1999 03:42:30 -0800 (PST) (envelope-from fran@reyes.somos.net) Received: from tomasa (tomasa.reyes.somos.net [10.0.0.11]) by sanson.reyes.somos.net (8.9.3/8.9.3) with SMTP id GAA50607; Mon, 15 Nov 1999 06:40:00 -0500 (EST) (envelope-from fran@reyes.somos.net) Message-Id: <199911151140.GAA50607@sanson.reyes.somos.net> From: "Francisco Reyes" To: "freebsd-security@FreeBSD.ORG" Cc: "Brian Somers" Date: Mon, 15 Nov 1999 06:38:13 -0500 Reply-To: "Francisco Reyes" X-Mailer: PMMail 98 Professional (2.01.1600) For Windows 98 (4.10.1998) MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: Is this an attack? ICMP packets coming from my own IP Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some days back I ran a news server, Leafnode++, for 2 days. The server got Hijacked because I failed to secure it. Ever since I have been paying close attention to my logs. I have ICMP packets enabled, but I log them. Last night I noticed numerous ICMP packets, but the ones that worried me the most were some coming from an IP which is the IP I use on that box: 207.240.212.43 Is this some form of attack? ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:0.0 207.240.212.43 207.240.212.43 in via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 out via tun0 ipfw: 3100 Accept ICMP:8.0 207.240.212.43 207.240.212.43 in via tun0 How can they forge my own IP? Should I mention this to my ISP? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message