IP spoof messages in firewall logs

[Guest]

Hi all,

I'm wondering if anyone can help me with this. I'm seeing the following
message in our SonicWALL logs:

-------------------------
Alert - Intrusion Prevention - IP spoof dropped - 10.0.0.1, 137, X0 - <IP
address of WINS server>, 137, X1 - MAC address: <MAC address of primary NIC>
-------------------------

Background info:
The server is part of a failover cluster. There are two network cards in
the server. The primary card handles regular network traffic. The secondary
card talks to the partner server's secondary card over a crossover cable
(addresses are 10.0.0.1 and 10.0.0.2). For the secondary card, only and IP
and subnet mask are specified. No DNS or WINS entries exist.

One of the SonicWALL support documents mentions that "bugs in Windows
operating systems can cause IP spoofs. The bugs occur when the PC has more
than one network interface installed." Does anyone know of these bugs?

Thanks,
Mike

 

[Richard G. Harper]

I don't know about a "bug" but I do know that if you have two NICs in the
same address range you will have problems.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Guest]

Thanks for the reply Richard. My apologies, I didn't specify that the
primary card has an address in a different range than the secondary card.

Server 1
Primary card: x.x.x.x (used for normal network traffic)
Secondary card: 10.0.0.1 (connected to Server 2 using a x-over cable to
secondary card)

Server 2
Primary card: x.x.x.x (used for normal network traffic)
Secondary card: 10.0.0.2 (connected to Server 1 using x-over cable to
secondary card)

Perhaps I'm reading it wrong, but looking at the entry in the firewall log,
it appears that traffic from the secondary card is attempting to contact the
WINS server through the primary card (the MAC address listed in the log
belongs to the primary card).

Thanks,
Mike

I don't know about a "bug" but I do know that if you have two NICs in the
same address range you will have problems.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi all,

I'm wondering if anyone can help me with this. I'm seeing the following
message in our SonicWALL logs:

-------------------------
Alert - Intrusion Prevention - IP spoof dropped - 10.0.0.1, 137, X0 - <IP
address of WINS server>, 137, X1 - MAC address: <MAC address of primary
NIC>
-------------------------

Background info:
The server is part of a failover cluster. There are two network cards in
the server. The primary card handles regular network traffic. The
secondary
card talks to the partner server's secondary card over a crossover cable
(addresses are 10.0.0.1 and 10.0.0.2). For the secondary card, only and
IP
and subnet mask are specified. No DNS or WINS entries exist.

One of the SonicWALL support documents mentions that "bugs in Windows
operating systems can cause IP spoofs. The bugs occur when the PC has
more
than one network interface installed." Does anyone know of these bugs?

Thanks,
Mike

 

[Richard G. Harper]

Honestly, you've got me at this point. Not knowing what your security
device is, and not having a great deal of time to research it, I would
assume that the problem is because it's seeing both of the network cards
with the same name at different addresses and thus diagnosing it as a spoof
attempt.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Thanks for the reply Richard. My apologies, I didn't specify that the
primary card has an address in a different range than the secondary card.

Server 1
Primary card: x.x.x.x (used for normal network traffic)
Secondary card: 10.0.0.1 (connected to Server 2 using a x-over cable to
secondary card)

Server 2
Primary card: x.x.x.x (used for normal network traffic)
Secondary card: 10.0.0.2 (connected to Server 1 using x-over cable to
secondary card)

Perhaps I'm reading it wrong, but looking at the entry in the firewall
log,
it appears that traffic from the secondary card is attempting to contact
the
WINS server through the primary card (the MAC address listed in the log
belongs to the primary card).

Thanks,
Mike

I don't know about a "bug" but I do know that if you have two NICs in the
same address range you will have problems.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

Hi all,

I'm wondering if anyone can help me with this. I'm seeing the
following
message in our SonicWALL logs:

-------------------------
Alert - Intrusion Prevention - IP spoof dropped - 10.0.0.1, 137, X0 -
<IP
address of WINS server>, 137, X1 - MAC address: <MAC address of primary
NIC>
-------------------------

Background info:
The server is part of a failover cluster. There are two network cards
in
the server. The primary card handles regular network traffic. The
secondary
card talks to the partner server's secondary card over a crossover
cable
(addresses are 10.0.0.1 and 10.0.0.2). For the secondary card, only
and
IP
and subnet mask are specified. No DNS or WINS entries exist.

One of the SonicWALL support documents mentions that "bugs in Windows
operating systems can cause IP spoofs. The bugs occur when the PC has
more
than one network interface installed." Does anyone know of these bugs?

Thanks,
Mike