Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
1
Replies

IDS SIG 1104

z_wick
Level 1
Level 1

‎12-23-2003 08:06 AM - edited ‎03-09-2019 05:58 AM

We have a cisco 2611 running firewall and ids software. We are receiving SIG 1104 Localhost Source Spoof on all of our outside ip address' is there anyway to detect where this attack is comming from? Or could someone explain in detail how this attack is defended against?

Thank you

Labels:
0 Helpful
1 Reply 1

darin.marais
Level 4
Level 4

‎12-23-2003 11:20 PM

This is just a theory however it is the only theory I have been able to find so far. http://cert.uni-stuttgart.de/archive/intrusions/2003/08/msg00209.html

You may want to read the following threads:

1. RSTs from TCP 83 3389 7000 - Fixed ack and dport - Multiple sources

2. Re: RSTs from TCP 83 3389 7000 and Port 80 Increase

3. port 80 increase

Archives of these threads can be found here:

http://cert.uni-stuttgart.de/archive/intrusions/2003/12/threads.html

The only way to trace it is to go from segment to segment with a sniffer until you find that the source MAC address is no longer a router gateway> then clean the virus off of the device.

Your ISP could be routing 127.0.0.x on the outside interface. Ask them to drop the packets in an acl.

let me know if this has answered your question

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents