Security Incidents mailing list archives
Re: IP Spoofs in the log - not sure what to do next
From: aladin168 <aladin168 () hotmail com>
Date: 24 Apr 2003 14:12:04 -0000
In-Reply-To: <000b01c3074e$75f2dd40$6d00a8c0@RANDALL.local> Quote from Curt Purdy: *** it is more difficult, though not impossible to spoof mac addresses. *** It's easy to spoof MAC addresses with SMAC utility: http://www.klcconsulting.net/smac Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klai () klcconsulting net www.klcconsulting.net
Received: (qmail 4216 invoked from network); 21 Apr 2003 17:19:23 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 21 Apr 2003 17:19:23 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id 59ECAA30BE; Mon, 21 Apr 2003 11:23:53 -0600 (MDT) Mailing-List: contact incidents-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-help () securityfocus com> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com> List-Subscribe: <mailto:incidents-subscribe () securityfocus com> Delivered-To: mailing list incidents () securityfocus com Delivered-To: moderator for incidents () securityfocus com Received: (qmail 18698 invoked from network); 20 Apr 2003 14:52:15 -0000 From: "Curt Purdy" <purdy () tecman com> To: "'Chris Corbett'" <ccorbett () aspenwood com>, <incidents () securityfocus org> Subject: RE: IP Spoofs in the log - not sure what to do next Date: Sun, 20 Apr 2003 10:06:45 -0500 Message-ID: <000b01c3074e$75f2dd40$6d00a8c0@RANDALL.local> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <002601c3052f$3110c410$160010ac () aspenwood com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 You did not specify whether the logs were ingress or egress, but
considering
your notes, I will assume outgoing. Although it is relatively easy to
spoof
ip addresses, it is more difficult, though not impossible to spoof mac addresses. Therefore, I would assume that the Apple is the likely
culprit,
whether compromised or spoofing at the direction of it's user. Either
way,
you could confirm this box is the culprit by sniffing it's port on the switch with tcpdump/ethereal/windoze sniffer. If this is not the box, you have a bigger problem on your hands. Also, I
am
not sure why you are unable to stop the user from acessing AOL webmail.
You
should be able to put an ACL in your router/firewall to prevent this. Curt Purdy CISSP, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions cpurdy () dpsol com ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: Chris Corbett [mailto:ccorbett () aspenwood com] Sent: Thursday, April 17, 2003 5:18 PM To: incidents () securityfocus org Subject: IP Spoofs in the log - not sure what to do next I have been observing this list for a while and believe this is the right forum for this post. If not, direct me elsewhere I am seeing a steady stream of IP Spoofs in a firewall log we track for a client. Here is a sample 04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN- Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or 172.175.x.x which show up as AOL registered IP addresses (whois lookup) The destination addresses seem to be random, 24.191.183.249, 64.1.1.34, 216.160.20.203 .....nothing I can decipher as a pattern and nothing close
to
the network this firewall is "protecting". The MAC address listed in the spoof is the same every time, ironically an Apple computer on this network. This user (on the Apple) will occasionally use AOL mail via the web (I can't stop them), but they are not using AOL
as
their ISP. It's a DSL circuit and ISP services from another provider. I am still learning about IP Spoofing and I don't want to overreact, but from what I read, spoofs should be investigated further and I am at a
point
where I am not sure what to look at next. The spoof is being detected by
the
firewall and therefore denied, but what else should I be looking for to
make
sure this is harmless? Is it someone trying to use this network to spoof another network? Could it be possible that this Apple machine is being compromised in some way and being used for spoof attempts? Chris Corbett Aspenwood Technologies, LTD ccorbett () aspenwood com Denver, CO Chris Corbett Aspenwood Technologies, LTD Denver, CO 303-733-0044 x 303 303-733-4466 --------------------------------------------------------------------------
--
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-incidents --------------------------------------------------------------------------
--
--------------------------------------------------------------------------
--
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-incidents --------------------------------------------------------------------------
--
---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- IP Spoofs in the log - not sure what to do next Chris Corbett (Apr 19)
- RE: IP Spoofs in the log - not sure what to do next Curt Purdy (Apr 21)
- RE: IP Spoofs in the log - not sure what to do next David Klotz (Apr 21)
- <Possible follow-ups>
- Re: FW: IP Spoofs in the log - not sure what to do next crawford charles (Apr 21)
- Re: FW: IP Spoofs in the log - not sure what to do next David Hawley (Apr 22)
- Re: IP Spoofs in the log - not sure what to do next aladin168 (Apr 24)