IP Spoof
Results 1 to 6 of 6

Thread: IP Spoof

  1. #1
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252

    IP Spoof

    On a simple NT4 network lives a Sonic Wall Firewall. The logs indicate a IP Spoof detected and dropped. The source IP address is a private address and the MAC address is listed.

    IP spoof detected - Source:192.168.81.1, 137, LAN - Destination:192.168.80.2, 137, WAN - MAC address: 00.0D.56.34.64.8B -

    Here's my dilemma: The private range is not on my network, I'm using 10. So I assume that someone (Probably a MCSE - Sorry about that) has configured a device incorrectly and plugged into the LAN.

    I have scanned the network for the MAC address with no luck. Address not found!

    I'm not too worried about this but I would like to find out what's going on - any suggestions?

    Thanks,

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    On what interface does this spoof get detected? That should give you a clue if it's originating from the inside or the outside. If it's from the outside (the Internet) you can safely ignore it since your firewall is dropping them.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    SirDice:

    Since the source and destination are private addresses and the mac address is listed, wouldn't the device have to be on the inside?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    It should be easy to see on your firewall. I am assuming the firewall has at least 2 NIC's. It wouldn't be of much use if it didn't. Therefor it should be easy to find out where it comes from.

    As for the private addresses, it could be possible (under certain conditions). I know for a fact that private addresses as a source will get routed over the Internet. Private destination addresses shouldn't but maybe somebody screwed up who's on the same segment as you.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    www.komododigital.com

    Go to their web site download newt.

    Install and you will find your NIC

  6. #6
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,252
    OK, the issue was a Cisco VPN Client. Vendor plugged into the network and launched his VPN software, the private address' showing as "Spoof IP's" were the virtual adaptor and virtual gateway.

    This poses a few different questions, I'll try to address them in a later post. Thanks for the help.
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •