Re: Is my IP Address being spoofed?

[Bill Royds <Bill_Royds () PCH GC CA>]

These seem to be very common spoofed packets.
You address is spoofed in a packet that goes through a router destined for an
address (often fake) that is on the other side of the router. The router that
knows the destination is fake (or unreachable) sends back these ICMP packets.
The cracker in waiting can extract these enumeration packets becuase they are
destined for an IP address in your network that it knows is not valid.
It can extract the TTL and source address to map the router's tables.
You are just a convenient address on the road to Mandelay.




Matthew Collins <Matthew.Collins () NORTHERNREGISTRARS CO UK> on 03/27/2001
07:29:52 AM

Please respond to Matthew Collins <Matthew.Collins () NORTHERNREGISTRARS CO UK>



 To:      INCIDENTS () SECURITYFOCUS COM

 cc:      (bcc: Bill Royds/HullOttawa/PCH/CA)



 Subject: Is my IP Address being spoofed?






****************************************************************************************

This message and any attachments are confidential to the ordinary user of
the e-mail address to which it was addressed and may also be privileged.
If you are not the addressee you may not copy, forward, disclose or use
any part of the message or its attachments and if you have received this
message in error, please notify the sender immediately by return e-mail and
delete it from your system.
Internet communications cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, arrive late or contain
viruses. The sender therefore does not accept liability for any errors or
omissions in the context of this message which arise as a result of Internet
transmission.
Northern Registrars Limited, Northern House, Woodsome Park, Fenay
Bridge, Huddersfield. HD8 0LA.
Tel: +44 (0) 1484 600900  Fax: +44 (0) 1484 600911
For more information visit our web site: http://www.northernregistrars.co.uk
****************************************************************************************


The following packets are showing up in my IDS logs, but although the source
address is part of our IP address range (62.254.170.9), it is not currently in
use (and never has been in the past). Is someone using my IP address as a source
address for spoofed packets? (IE, some sort of port scan) It's the only
explanation I can think of.

The destination address (194.102.106.199) is listed under RIPE as a Roumanian
Mobile telephone provider.

IDS is snort 1.7

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-10:22:18.379954 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:7956 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:11252 IpLen:20 DgmLen:40
****PR*F Seq: 0x7D8A966F  Ack: 0x676F2E69  Win: 0xA35  TcpLen: 24
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-10:38:57.840821 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:36628 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:51188 IpLen:20 DgmLen:40
*2U*P*** Seq: 0x1D47586F  Ack: 0x3000D45  Win: 0x6572  TcpLen: 28  UrgPtr:
0x7430
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-10:38:59.889824 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:36628 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:51188 IpLen:20 DgmLen:40
*2U*P*** Seq: 0x1D47586F  Ack: 0x3000D45  Win: 0x6572  TcpLen: 28  UrgPtr:
0x7430
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-11:20:13.659119 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:42772 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:52724 IpLen:20 DgmLen:40
*2U*P**F Seq: 0x6C9F3D6F  Ack: 0x726E7265  Win: 0x7374  TcpLen: 24  UrgPtr:
0x7273
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-11:29:07.882793 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:57108 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:39924 IpLen:20 DgmLen:40
*2U*P*** Seq: 0x7C7D9E6F  Ack: 0x3000D45  Win: 0x6572  TcpLen: 28  UrgPtr:
0x7430
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-11:45:16.769944 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:20244 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40
**U*PRSF Seq: 0x1C3A606F  Ack: 0x2F2F2F2F  Win: 0x2F2F  TcpLen: 8  UrgPtr:
0x2F2F
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-11:45:17.958558 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:20244 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40
**U*PRSF Seq: 0x1C3A606F  Ack: 0x2F2F2F2F  Win: 0x2F2F  TcpLen: 8  UrgPtr: 0xA2F
** END OF DUMP

[**] ICMP Destination Unreachable (Undefined Code!) [**]
03/27-11:45:54.729861 157.130.241.17 -> 62.254.170.9
ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56
Type:3  Code:1  DESTINATION UNREACHABLE: HOST UNREACHABLE
** ORIGINAL DATAGRAM DUMP:
62.254.170.9:20244 -> 194.102.106.199:13559
TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40
**U*PRSF Seq: 0x1C3A606F  Ack: 0x2F2F2F2F  Win: 0x2F2F  TcpLen: 8  UrgPtr: 0xA2F
** END OF DUMP