Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Spoofed source address in wg firewall log

Posted on 2009-06-30
4
Medium Priority
?
484 Views
Last Modified: 2013-11-16
Scenario same machine with WG Fb100 mgnt console one nic card with static IP:
nbtstat -a "servername" shows a node using the spoofed address 169.254.65.133 for "lan address 2", which doesnt' exist when you look under nw connections.  Both the real IP and spoofed address info displayed reflect the same IP address.  The machine on ly has one nic card.  RRAS and any other service I can think of that could relate to this disabled/not running.  Machine is server 2k2.   WG example below of logged spoofed.  I'm not sure how else to troublehsoot this.  THe machine is running acronis mgmt console as well as vmware converter and a smtp service for avya unified messging sytem.  The entries were numerous in the firewall this a.m. and our internet slows down, but all the sudden stopped.   Any suggestion of where else on board to post this question, also, plese let me know.  
spoofed.bmp
0
Comment
Question by:dee30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24746870
Are you sure this is not related to perhaps VMWARE virtual NAT / NIC settings ?
 
0
 
LVL 12

Expert Comment

by:jahboite
ID: 24753443
On the one hand, I would say that the source IP address looks like an APIPA configured address and would hint that the machine in question was unable to contact your DHCP server for a proper IP address (read more about APIPA at http://blogs.technet.com/networking/archive/2009/01/29/dhcp-client-behavior.aspx).

On the other hand, it seems mighty suspicious that the source would contact hosts on the internet via UDP 137 (NETBIOS Name Service)
0
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 1500 total points
ID: 24800151
not necessarily,

enabling TCP/IP over Netbios can also cause this, it's essential for Exchange and other MSost apps in some cases

the ip range is apipa

Jfer
0
 

Author Closing Comment

by:dee30
ID: 31598386
You're right about the netbios explanation on the UDP 137 port, while I haven't completely resolved the issue(s), so far.  Accepting and closing question, though.  Thx
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question