Logs show spoof

[the19man]

I am currently running a Sonicwall firewall and have over the past week recieved a few IP Spoof detected warnings. The warning shows an IP address that could be on my subnet, but falls outside my current scope. The warning gives me a MAC address as well, and though the spoof seems to come from different IP addresses each time, the MAC remains the same. I am fairly new in the security realm and really have no idea what this warning means or if some one is actaully attempting illicit activity.

Off topic - I am also getting pinged 4-5 times per minute from addressed fairly similar to my public IP. I have called the ISP with ni results. I am thinking this is a product of the Blaster worm. Anyone else seeing this type of traffic.

Thanks for any info provided.

[SirDice]

AFAIK Blaster doesn't spoof it's source and/or tries to ping it's (potential) victims.

Is your firewall connected to some sort of dialup (this usually includes xDSL, pptp and vpn connections)? If so, the MAC is probably bogus too.

I can only suggest blocking all private adresses originating on the outside interface. This means setting up 1 or more rules that block packets using RFC1918 addresses (and a couple more) as a source.

Tracing a spoofed source is next to impossible without the help of all the ISPs and Telcos that are between you and your 'attacker'.

[Tiger Shark]

The19: You can use something like Ethereal to capture the packets. This will tell you what kind of adapter the MAC address is coming from or try putting the first three octets of the address in one of these sites and see if you can ID the device. If it is a Cisco, Bay or whatever then the packets are being spoofed from outside your collision domain, (local network). If they come from something else then the probability is higher that it is a machine on your network.


The pings are the other worm that fixes MSBlast, (I forget it's name), as long as your firewall block port 135 inbound you should be fine.

[slarty]

Originally posted here by the19man
[B]I am currently running a Sonicwall firewall and have over the past week recieved a few IP Spoof detected warnings.

How does it determine that the packets have spoofed source addresses?

The warning shows an IP address that could be on my subnet, but falls outside my current scope. The warning gives me a MAC address as well,

As MAC addresses are not part of the IP packet, they cannot have come across the internet. The MAC address will be a machine on your LAN. Either that is the box that did the spoofing, or (more likely) it is a router which has routed it to your LAN.

and though the spoof seems to come from different IP addresses each time, the MAC remains the same.

As I say, MAC is not part of an IP packet. Therefore it isn't routed. So the MAC probably belongs to your router.

I am fairly new in the security realm and really have no idea what this warning means or if some one is actaully attempting illicit activity.

Well probably not.

I doubt whether the packets are spoofed at all - I expect it's a false alarm.

It is unusual to see and difficult to detect spoofed packets. Fortunately they aren't much of a risk because an attacker can never get responses to them.

But they have been used for UDP-based DoS in the past.

Slarty

[gunit0072003]

the19man

Im experiencing the same exact thing as you are for the last 3 days....

My Firewall (Zonealarm) reports them as ICMP request, however when I sniff the packets
they are a bunch of ARP requests...and just as you stated the dst MAC address is the same
(as probably expected).

MAC address is also same as my default gateway..( you might want to ping your default gateway and check arp table to verify as well,,on windows OS type arp -a)

I also assumed packets were spoofed because I could not ping any of src addresses and just like you described, the src addresses are in the range of my own. (although this is not 100% accurate assumption)

My protocol analyzer reports upwards of 1000 ARP requests per minute and sometimes higher..
captured trace and sent to my ISP (cable modem)...awaiting their analysis (wont hold my breath)


Ill keep ypu posted...

cheers

P.S
Oh I forgot to add, I physicaly changed my NIC card (which changed my IP) to make sure no one was homing in on me. However problem persisted,,I guess it is a random occurance..

[slarty]

My Firewall (Zonealarm) reports them as ICMP request, however when I sniff the packets
they are a bunch of ARP requests...and just as you stated the dst MAC address is the same
(as probably expected).

This does not make sense:

1. ARP packets are not ICMP packets.
2. ARP packets only exist on ethernet LANs and are not routeable
3. ARP request packets are usually broadcast. Therefore the destination MAC is going to be ff:ff:ff:ff:ff:ff

Something is wrong here. One of your tools is showing up normal traffic as intrusion.

Slarty

[Tiger Shark]

Slarty:
I think he's misreading the dumps. What he is seeing is the ARP "Who Has" for each subsequent Ping. When the infected machine realizes from the subnet mask that the address is local it will queue the ARP requests and broadcast them.... He will see them all and if he looks through them there will be one that refers to his IP and a reply from his with the MAC address.

The log is probably showing a flood of ARP requests and a series of ICMP and he is combining them as a single entity rather then dividing them for what they are.

[the19man]

slarty - thanks for breakin it down.


Thanks to others for feedback and input. I appreciate the sharing of knowledge.

[gunit0072003]

Slarty,

Let me make myself clearer..Should have been more specific with my findings..

ARP packets ofcourse are not ICMP packet. These can be two different incidents occuring at same time..(what Zonealarm is reporting and what protocol analyzer is capturing may not be related..the # of ARP captures is no where near the # of Zonealarm incidents) I used 3 different protocol analyzers and are all reporting same captures..Ethereal, Network General Sniffer (original DOS version) and Snifferpro..The ARP packets are Im sure for a fact is what they are.

And yes ARP packets do exist only on LANS and are not routable (unless you had proxy arp turned on routers and was able to force PC to send ARP request for different subnet than your own..wont get into it here,,can easily be done) anyway thats not the point here,,With cable service, your connection is on same VLAN/ broadcast domain as others in same neighborhood/community.

Think of the following:
(PC1, PC2, PCx and Ethernet of router are all on same VLAN/broadcast domain)

PC1--------------->
subnet 1
PC2---------------> all going to 1 router/1 NIC with multiple IP addresses (secondary addresses)
subnet 2
PCx--------------->
subnet x

Ive set this up many times (although only in switch environments)
Its no different than 2 PCs with diff subnets on same hub going to one router with primary and secondary Ip addresses.. Each PC has its own default gateway wich happens to be same MAC/physical NIC. and the important thing to see here is when PC1 send a broadcast, PC2 will hear it...

And I didnt make myself clear about MAC address,, I was referring not to dst MAC of ARP request,,sure thats FFFFFFFF, I was referring to src where it happens to be same unicast..,,,
The above examples clearly demonstrates this..


Cheers..

P.S.
With all do respect Tiger Shark, I know Iam a newbie here at AO, but not to "toot"
my own horn,,very experienced and senior when it comes to routing/switching/IP and utilizing protocol analyzers....(hope that didnt sound arrogant,,just stating fact)

[Tiger Shark]

Hey Gunit.... No problem..... just trying to help...... It's sometimes really hard to determine someone's skill level based on reading one or two of their posts....... Didn't mean to come across as a know-it-all...... It just seemed to me that it might be plausible for someone to have done that with such a large amount of traffic and the output can be a tad overwhelming.... My apologies if I offended......