IP Spoofing confusion

Printable View

August 31st, 2004, 06:17 PM
MrCoffee

IP Spoofing confusion

I did search for info here on AO for IP Spoofing, but I am a bit confused at this point, hence this post. It is a newbie sort of question.

In addition to the normal port scanning I get in my firewall log, I have been getting a huge number of IP Spoof detection off and on for the last three months. The part that has me confused is that the MAC address is one of my ISP's upstream systems, or so the log is leading me to believe. The IP itself resolves to IANA. I really dont think it is likely that IANA or my ISP are trying to IP Spoof me.

Also, the timing is a bit weird. Normally nothing the first seven days or the last seven days of the month. But in between, I get maybe 400 of these attempts every 8 hours. My ISP has been less then helpful. (They actually told me not to worry about it....)

I am using a Sonicwall SOHO3. While all attempts so far have been blocked/logged, I am concerned over the part of the picture I am missing/dont understand.

Thanks for any help you may have,

MrC
August 31st, 2004, 06:24 PM
Spyder32

I would tell you not to worry about it either. Mostly everyone (myself included) get's these type of things on a daily basis along with your normal port probes/scans, password guessing, etc. It's really nothing to worry about, I'd just listen to your ISP.
August 31st, 2004, 06:30 PM
Tiger Shark

The MAC address bit is dead easy..... ;)

As a packet moves across the network the MAC address in the packet is changed to the MAC address of the last device it passed through. Hence you are seeing your ISP "attacking" you... Been there, thought the same thing....

With regard to the spoofing, I would also tell you not to worry about it. Let's think about what happens.... Your devices see the packet and if any response is required the returing packet will be sent to the IANA address which is reserved and almost certainly has nothing "listening". Thus the packet will either be dropped as unroutable by some device along the way or, even if it was routed, it would reach it's TTL time_expired limit. Either way, no harm is done.

The only potential for harm is if someone at your ISP, or further usptream if the packets ever came out of the other side of your ISP, (which they don't or you should be receiving ICMP Time_Expired messages), were sniffing for those responses..... Which is highly unlikely..
August 31st, 2004, 06:59 PM
mvcrash

You need to determine if those packets are broadcast packets. If they are, your sonic wall needs to be reconfigured.

MV