Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: Microsoft ISA Server Control|
ISA Server detected a spoof attack from the Internet Protocol (IP) address <ip address>. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.
|English: Request a translation of the event description in plain English.|
See ME840681 and ME884496 for details on why this event occurs and how to fix the problem.
As per ME326116, on an ISA server having the external interface configured to have its IP address dynamically assigned from DHCP, you may not be able to renew the IP address on the interface.
This event may appear in the log if the packet filter is currently handling a packet while the IP address was renewing. This causes routing table changes in the operating system. Because ISA Server does spoof detection by comparing the interface on which the packet was received to the interface from which a reply to the originating source would be sent, it would consider this to be a spoofed packet if the two interfaces are different. A hotfix is available.
Some newsgroup posts suggest that this event may occur when you have an internal computer infected with a virus or worm. It is also recommended if possible to run a network sniffer (i.e. MS Network Monitor) and detect the source of the spoof.
Occurs when I make a terminal server connection to the server from an external location.
This can occur for several reasons:
1. An attack is being attempted from an outside source.
2. A lot of external networks sends out ping requests to see who is out there, this will be registered.
3. A client connects via VPN and is not correctly connected.
Make sure that the defined external interface is not routable by the internal clients except through the ISA server. You can put the External Interface on the DMZ with a network address clearly different from your internal routing network (LAT).
Also, make sure that the external NIC does not have any WINS settings and the NIC is not set to register to the AD DNS. Verify that there is no entry on your WINS server that pertains to the external NIC. The reason for this is that if the external NIC registers to the Wins or the AD DNS, internal nodes will try to connect to the ISA server via the external NIC. ISA will in turn refuse the connection and generate a spoofing error.
|Private comment: Subscribers only. See example of private comment|
|Links: ME326116, ME840681, ME884496|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated