IP source address spoofing
Results 1 to 10 of 10

Thread: IP source address spoofing

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    10

    IP source address spoofing

    I am slightly aware of ip address spoofing... i am curious as to why i would see this on my logs in a caymen dsl router... to give an idea of my network to help with this staement/question... a cayman adsl router connected to a switch that shares a connection with my computers and another networks computers that backbone of a frac ds3... is it possible that the frac ds3 taffic is "bleeding" onto my network and causing problems?.?.!
    Everyone has to start somewhere

  2. #2
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    Your setup is not completly clear for me...? probably I missread somewhere...
    you have an ADSL line with a router in between connected to a switch to share the same ADSL line, and you have a connection to a fractial ds3 backbone?
    traffic bleeding onto your network, you suspect the traffic from the other private network to cause trouble in yours? They are not using the same adress range are they?

  3. #3
    Junior Member
    Join Date
    May 2004
    Posts
    10
    let me write it a little more clearly... there is an adsl connection that my network uses (3 win2k servers and a laptop) i connect to the adsl router through a switch... on that same switch there is a gnu/linux box that acts as somewhat of a proxy for another network... the linux box has two network cards and has an IP from my network (in order to gain internet access for a 192.168.. network) and the other nic uses an IP from the frac DS3... in my logs from the netopia adsl router there are ip address source spoofing alerts... see below for a log file view...

    Security alert type : IP Source Address Spoofing
    IP source address : 208.143.71.209
    IP destination address : 224.0.0.251
    Number of attempts : 6632
    Time at last attempt : 239:15:52
    IP Interface : ENET (10/100BT-LAN)

    Security alert type : IP Source Address Spoofing
    IP source address : 208.143.71.209
    IP destination address : 239.255.255.253
    Number of attempts : 26125
    Time at last attempt : 239:14:40
    IP Interface : ENET (10/100BT-LAN)

    Security alert type : IP Source Address Spoofing
    IP source address : 208.143.71.33
    IP destination address : 224.0.0.251
    Number of attempts : 83474
    Time at last attempt : 239:16:59
    IP Interface : ENET (10/100BT-LAN)

    what do you think?!?
    Everyone has to start somewhere

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The 224.0.0.251 is a multicast broadcast address IIRC. The other one is too probably. The linux box is seeing the multicast broadcast and forwarding them. Your box is claiming sources as "spoofed" because they are not on it's own network and you haven't told it that the source network is associated to yours.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    May 2004
    Posts
    10
    thanks TS... i was under that influence but wasnt sure...
    Everyone has to start somewhere

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Those are both broadcast addresses. If your router was logging the src/dest ports, you'd probably be able to figure out which service it was on those boxes that is sending the attempt, and then see where the boxes are situated. You didn't provide enough information on the IP range of those other networks for me to give you more than a passing suggestion as to what the source of the problem is.

    From what you said:
    (INTERNET) <----> [Netopia Router] <---> (Your Lan + Linux gateway)
    Your lan has an address of 192.168.x.x.
    Then it goes:
    [Linux Gateway] <---> (F. DS3 LAN/WAN)

    What is the LAN/WAN address of the machines past the linux gateway? Is it too supposed to be part of the 192.168.0.0/16 range? If it is I suggest you immediately look into the setup of that DS3 network, or get whomever is responsible for it to look into it.

    This looks like you could fix it by implementing some simple filtering rules that I am frankly surprised a Netopia router doesn't ALREADY implement.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  7. #7
    Junior Member
    Join Date
    May 2004
    Posts
    10
    Network correction
    (INTERNET) <----> [Netopia Router] <---> (Your Lan + Linux gateway)
    my lan has an address of 68.94.x.x
    Then it goes:
    [Linux Gateway] <---> (F. DS3 LAN/WAN)
    linux nic routes another network through my netopia that has a nic with one of my 68.94's wich proxies a 192.168.x.x/24 and additonal card that has an ip of 208.143.71.220/24 (from the F. DS3)

    I think that the netopia doesn' t know what to do with the packets... the reason I'm qustioning that theory is the resent flood of attempts... they started a few weeks ago as 2-3 attepmts and they have sored recently to 20,000-90,000 attempts... curious i must say
    Everyone has to start somewhere

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    IIRC, these multicast packets are used in many dases for streaming media so things like realplayer spew them forth at startup to determine if there are any local sources of streaming media. Sounds like people on the other network have installed an app that uses multicast broadcasts and that's why you see the recent flood of packets.

    Is it possible to turn off broadcast forwarding either on the linux box or the Netopia? That would isolate you from the "storm" and it shouldn't affect the operation of your network.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    It looks to me as though all the routers on the way have been configured to route multicast. You can disable this on the linux box by doing echo "0" > /proc/sys/net/ipv4/conf/eth?/mc_forwarding where ? is the device you want to disable it on. Alternately, you could NAT the packets and reset the source IP so it is valid and your Netopia stops complaining. I think the latter may be a better solution, however I doubt you will see any harm done by simply ceasing to route the mc packets..

    PS: A /24 is the first three octets with the last octet variable, or 254 hosts. This would be 192.168.0.x, for example, but 192.168.x.x tends to indicate a /16, hence my previous mention of it.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  10. #10
    Junior Member
    Join Date
    May 2004
    Posts
    10
    PS: A /24 is the first three octets with the last octet variable, or 254 hosts. This would be 192.168.0.x, for example, but 192.168.x.x tends to indicate a /16, hence my previous mention of it.
    sorry about the 192.168.x.x/24 it was a typo.... thnx for the help
    Everyone has to start somewhere

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •