[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] AW: [FW-1] How to disable"local interface address spoo fing" logg ing?
> From: Matteo Masserini [mailto: > > We think it might be due to the MSBlast that generates a > d.o.s. attack to Windowsupdate site. > We suppose that probably someone set Windowsupdate=127.0.0.1 > in the DNS to avoid the d.o.s. to this site and so: > > - we have an infected host (207.88..yyy) > - the worm changes the last 2 octets of its address into > 207.88.aaa.bbb and generates traffic to Windowsupdate (127.0.0.1:80) > - the infected host receives the packet on its loopback > interface (127.0.0.1) > - as probably it is not a web server it sends a RST to 207.88.aaa.bbb > > and generates drops on the firewall like the ones you saw yesterday. > > Our problem is to remove these logs (we have milions, some > hosts generate 200 logs/sec) while our customers remove the worm... We had the exact same problem. We never was able to remove these logs so we just blocked the traffic in the nearby router while our customer cleaned their network. Regards, Torkel ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|