Re: FW: IP Spoofs in the log - not sure what to do next

["crawford charles" <biv0uac17 () hotmail com>]

Is he terminating a tunnel?

C.

> From: Chris Corbett [mailto:ccorbett () aspenwood com]
> Sent: Thursday, April 17, 2003 6:18 PM
> To: incidents () securityfocus org
> Subject: IP Spoofs in the log - not sure what to do next
>
>
> I have been observing this list for a while and believe this is the right
> forum for this post. If not, direct me elsewhere
> I am seeing a steady stream of IP Spoofs in a firewall log we track for a
> client. Here is a sample
> 04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN-
> Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx
>
> All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or
> 172.175.x.x which show up as AOL registered IP addresses (whois lookup)
>
> The destination addresses seem to be random,  24.191.183.249,   64.1.1.34,
> 216.160.20.203 .....nothing I can decipher as a pattern and nothing close 
> to
> the network this firewall is "protecting".
>
> The MAC address listed in the spoof is the same every time, ironically an
> Apple computer on this network. This user (on the Apple) will occasionally
> use AOL mail via the web (I can't stop them), but they are not using AOL as
> their ISP. It's a DSL circuit and ISP services from another provider.
>
> I am still learning about IP Spoofing and I don't want to overreact, but
> from what I read, spoofs should be investigated further and I am at a point
> where I am not sure what to look at next. The spoof is being detected by 
> the
> firewall and therefore denied, but what else should I be looking for to 
> make
> sure this is harmless?
>
> Is it someone trying to use this network to spoof another network?
>
> Could it be possible that this Apple machine is being compromised in some
> way and being used for spoof attempts?
>
> Chris Corbett
> Aspenwood Technologies, LTD
> ccorbett () aspenwood com
> Denver, CO
>
> Chris Corbett
> Aspenwood Technologies, LTD
> Denver, CO
> 303-733-0044 x 303
> 303-733-4466
>
>
>
>
> ----------------------------------------------------------------------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> ----------------------------------------------------------------------------


_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------