Re: IP Spoofs in the log - not sure what to do next

[aladin168 <aladin168 () hotmail com>]

In-Reply-To: <000b01c3074e$75f2dd40$6d00a8c0@RANDALL.local>

Quote from Curt Purdy: *** it is more difficult, though not impossible to
spoof mac
addresses. ***

It's easy to spoof MAC addresses with SMAC utility: 
http://www.klcconsulting.net/smac 

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

> Received: (qmail 4216 invoked from network); 21 Apr 2003 17:19:23 -0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 21 Apr 2003 17:19:23 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 59ECAA30BE; Mon, 21 Apr 2003 11:23:53 -0600 (MDT)
> Mailing-List: contact incidents-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-subscribe () securityfocus com>
> Delivered-To: mailing list incidents () securityfocus com
> Delivered-To: moderator for incidents () securityfocus com
> Received: (qmail 18698 invoked from network); 20 Apr 2003 14:52:15 -0000
> From: "Curt Purdy" <purdy () tecman com>
> To: "'Chris Corbett'" <ccorbett () aspenwood com>,
>       <incidents () securityfocus org>
> Subject: RE: IP Spoofs in the log - not sure what to do next
> Date: Sun, 20 Apr 2003 10:06:45 -0500
> Message-ID: <000b01c3074e$75f2dd40$6d00a8c0@RANDALL.local>
> MIME-Version: 1.0
> Content-Type: text/plain;
>       charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0)
> Importance: Normal
> In-Reply-To: <002601c3052f$3110c410$160010ac () aspenwood com>
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
>
> You did not specify whether the logs were ingress or egress, but 
considering
> your notes, I will assume outgoing.  Although it is relatively easy to 
spoof
> ip addresses, it is more difficult, though not impossible to spoof mac
> addresses.  Therefore, I would assume that the Apple is the likely 
culprit,
> whether compromised or spoofing at the direction of it's user.  Either 
way,
> you could confirm this box is the culprit by sniffing it's port on the
> switch with tcpdump/ethereal/windoze sniffer.
>
> If this is not the box, you have a bigger problem on your hands.  Also, I 
am
> not sure why you are unable to stop the user from acessing AOL webmail.  
You
> should be able to put an ACL in your router/firewall to prevent this.
>
> Curt Purdy CISSP, MCSE+I, CNE, CCDA
> Information Security Engineer
> DP Solutions
> cpurdy () dpsol com
>
> ----------------------------------------
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- White House cybersecurity adviser Richard Clarke
>
>
> -----Original Message-----
> From: Chris Corbett [mailto:ccorbett () aspenwood com]
> Sent: Thursday, April 17, 2003 5:18 PM
> To: incidents () securityfocus org
> Subject: IP Spoofs in the log - not sure what to do next
>
>
> I have been observing this list for a while and believe this is the right
> forum for this post. If not, direct me elsewhere
> I am seeing a steady stream of IP Spoofs in a firewall log we track for a
> client. Here is a sample
> 04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN-
> Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx
>
> All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or
> 172.175.x.x which show up as AOL registered IP addresses (whois lookup)
>
> The destination addresses seem to be random,  24.191.183.249,   64.1.1.34,
> 216.160.20.203 .....nothing I can decipher as a pattern and nothing close 
to
> the network this firewall is "protecting".
>
> The MAC address listed in the spoof is the same every time, ironically an
> Apple computer on this network. This user (on the Apple) will occasionally
> use AOL mail via the web (I can't stop them), but they are not using AOL 
as
> their ISP. It's a DSL circuit and ISP services from another provider.
>
> I am still learning about IP Spoofing and I don't want to overreact, but
> from what I read, spoofs should be investigated further and I am at a 
point
> where I am not sure what to look at next. The spoof is being detected by 
the
> firewall and therefore denied, but what else should I be looking for to 
make
> sure this is harmless?
>
> Is it someone trying to use this network to spoof another network?
>
> Could it be possible that this Apple machine is being compromised in some
> way and being used for spoof attempts?
>
> Chris Corbett
> Aspenwood Technologies, LTD
> ccorbett () aspenwood com
> Denver, CO
>
> Chris Corbett
> Aspenwood Technologies, LTD
> Denver, CO
> 303-733-0044 x 303
> 303-733-4466
>
>
>
>
> --------------------------------------------------------------------------
--
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today 
to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
--
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
> world's premier event for IT and network security experts.  The two-day 
> Training features 6 hand-on courses on May 12-13 taught by 
professionals.  
> The two-day Briefings on May 14-15 features 24 top speakers with no 
vendor 
> sales pitches.  Deadline for the best rates is April 25.  Register today 
to 
> ensure your place. http://www.securityfocus.com/BlackHat-incidents 
> --------------------------------------------------------------------------
--
>

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------