Security Incidents mailing list archives
Re: Is my IP Address being spoofed?
From: Bill Royds <Bill_Royds () PCH GC CA>
Date: Tue, 27 Mar 2001 15:25:57 -0500
These seem to be very common spoofed packets. You address is spoofed in a packet that goes through a router destined for an address (often fake) that is on the other side of the router. The router that knows the destination is fake (or unreachable) sends back these ICMP packets. The cracker in waiting can extract these enumeration packets becuase they are destined for an IP address in your network that it knows is not valid. It can extract the TTL and source address to map the router's tables. You are just a convenient address on the road to Mandelay. Matthew Collins <Matthew.Collins () NORTHERNREGISTRARS CO UK> on 03/27/2001 07:29:52 AM Please respond to Matthew Collins <Matthew.Collins () NORTHERNREGISTRARS CO UK> To: INCIDENTS () SECURITYFOCUS COM cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Is my IP Address being spoofed? **************************************************************************************** This message and any attachments are confidential to the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee you may not copy, forward, disclose or use any part of the message or its attachments and if you have received this message in error, please notify the sender immediately by return e-mail and delete it from your system. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message which arise as a result of Internet transmission. Northern Registrars Limited, Northern House, Woodsome Park, Fenay Bridge, Huddersfield. HD8 0LA. Tel: +44 (0) 1484 600900 Fax: +44 (0) 1484 600911 For more information visit our web site: http://www.northernregistrars.co.uk **************************************************************************************** The following packets are showing up in my IDS logs, but although the source address is part of our IP address range (62.254.170.9), it is not currently in use (and never has been in the past). Is someone using my IP address as a source address for spoofed packets? (IE, some sort of port scan) It's the only explanation I can think of. The destination address (194.102.106.199) is listed under RIPE as a Roumanian Mobile telephone provider. IDS is snort 1.7 [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-10:22:18.379954 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:7956 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:11252 IpLen:20 DgmLen:40 ****PR*F Seq: 0x7D8A966F Ack: 0x676F2E69 Win: 0xA35 TcpLen: 24 ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-10:38:57.840821 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:36628 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:51188 IpLen:20 DgmLen:40 *2U*P*** Seq: 0x1D47586F Ack: 0x3000D45 Win: 0x6572 TcpLen: 28 UrgPtr: 0x7430 ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-10:38:59.889824 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:36628 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:51188 IpLen:20 DgmLen:40 *2U*P*** Seq: 0x1D47586F Ack: 0x3000D45 Win: 0x6572 TcpLen: 28 UrgPtr: 0x7430 ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-11:20:13.659119 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:42772 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:52724 IpLen:20 DgmLen:40 *2U*P**F Seq: 0x6C9F3D6F Ack: 0x726E7265 Win: 0x7374 TcpLen: 24 UrgPtr: 0x7273 ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-11:29:07.882793 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:57108 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:39924 IpLen:20 DgmLen:40 *2U*P*** Seq: 0x7C7D9E6F Ack: 0x3000D45 Win: 0x6572 TcpLen: 28 UrgPtr: 0x7430 ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-11:45:16.769944 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:20244 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40 **U*PRSF Seq: 0x1C3A606F Ack: 0x2F2F2F2F Win: 0x2F2F TcpLen: 8 UrgPtr: 0x2F2F ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-11:45:17.958558 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:20244 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40 **U*PRSF Seq: 0x1C3A606F Ack: 0x2F2F2F2F Win: 0x2F2F TcpLen: 8 UrgPtr: 0xA2F ** END OF DUMP [**] ICMP Destination Unreachable (Undefined Code!) [**] 03/27-11:45:54.729861 157.130.241.17 -> 62.254.170.9 ICMP TTL:242 TOS:0x0 ID:0 IpLen:20 DgmLen:56 Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE ** ORIGINAL DATAGRAM DUMP: 62.254.170.9:20244 -> 194.102.106.199:13559 TCP TTL:27 TOS:0x0 ID:14324 IpLen:20 DgmLen:40 **U*PRSF Seq: 0x1C3A606F Ack: 0x2F2F2F2F Win: 0x2F2F TcpLen: 8 UrgPtr: 0xA2F ** END OF DUMP
Current thread:
- Is my IP Address being spoofed? Matthew Collins (Mar 27)
- <Possible follow-ups>
- Re: Is my IP Address being spoofed? Bill Royds (Mar 28)