Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS SIG 1104

We have a cisco 2611 running firewall and ids software. We are receiving SIG 1104 Localhost Source Spoof on all of our outside ip address' is there anyway to detect where this attack is comming from? Or could someone explain in detail how this attack is defended against?

Thank you

1 REPLY
New Member

Re: IDS SIG 1104

This is just a theory however it is the only theory I have been able to find so far. http://cert.uni-stuttgart.de/archive/intrusions/2003/08/msg00209.html

You may want to read the following threads:

1. RSTs from TCP 83 3389 7000 - Fixed ack and dport - Multiple sources

2. Re: RSTs from TCP 83 3389 7000 and Port 80 Increase

3. port 80 increase

Archives of these threads can be found here:

http://cert.uni-stuttgart.de/archive/intrusions/2003/12/threads.html

The only way to trace it is to go from segment to segment with a sniffer until you find that the source MAC address is no longer a router gateway> then clean the virus off of the device.

Your ISP could be routing 127.0.0.x on the outside interface. Ask them to drop the packets in an acl.

let me know if this has answered your question

252
Views
0
Helpful
1
Replies