-
February 11th, 2004, 02:04 PM
#1
IP Spoof
On a simple NT4 network lives a Sonic Wall Firewall. The logs indicate a IP Spoof detected and dropped. The source IP address is a private address and the MAC address is listed.
IP spoof detected - Source:192.168.81.1, 137, LAN - Destination:192.168.80.2, 137, WAN - MAC address: 00.0D.56.34.64.8B -
Here's my dilemma: The private range is not on my network, I'm using 10. So I assume that someone (Probably a MCSE - Sorry about that) has configured a device incorrectly and plugged into the LAN.
I have scanned the network for the MAC address with no luck. Address not found!
I'm not too worried about this but I would like to find out what's going on - any suggestions?
Thanks,
-
February 11th, 2004, 02:19 PM
#2
On what interface does this spoof get detected? That should give you a clue if it's originating from the inside or the outside. If it's from the outside (the Internet) you can safely ignore it since your firewall is dropping them.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 11th, 2004, 03:04 PM
#3
SirDice:
Since the source and destination are private addresses and the mac address is listed, wouldn't the device have to be on the inside?
09:F9:11:02:9D:74:E3:5B  8:41:56:C5:63:56:88:C0
-
February 11th, 2004, 03:55 PM
#4
It should be easy to see on your firewall. I am assuming the firewall has at least 2 NIC's. It wouldn't be of much use if it didn't. Therefor it should be easy to find out where it comes from.
As for the private addresses, it could be possible (under certain conditions). I know for a fact that private addresses as a source will get routed over the Internet. Private destination addresses shouldn't but maybe somebody screwed up who's on the same segment as you.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 11th, 2004, 05:24 PM
#5
Member
www.komododigital.com
Go to their web site download newt.
Install and you will find your NIC
-
February 12th, 2004, 04:59 PM
#6
OK, the issue was a Cisco VPN Client. Vendor plugged into the network and launched his VPN software, the private address' showing as "Spoof IP's" were the virtual adaptor and virtual gateway.
This poses a few different questions, I'll try to address them in a later post. Thanks for the help.
09:F9:11:02:9D:74:E3:5B  8:41:56:C5:63:56:88:C0
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|