OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: IP Spoofs in the log - not sure what to do next

From: David Klotz (klotzacm.org)
Date: Mon Apr 21 2003 - 08:27:40 CDT

I see something exactly like that in our Sonicwall logs occasionally.
I've tied it to one of two people who do use the AOL client, one of whom
uses AOL as their ISP, and bring in laptops from home. What I assume
is going on is that the AOL client has grabbed a DHCP address from AOL
separate from the DHCP address given out on our LAN.

I know you said they were using a web mail interface, but I'd be willing
to bet what's really going on is thatthey actually have the full client
that they're loading up. If I had a dime for every time I heard someone
use "web" when they really should have said "Internet" I wouldn't have
to hold a job where I have to listen to people say 'web" when they mean
"Internet".

Of course if that's not it, it would help us to know what version of Mac
OS is on this machine. Is it OS X, or OS less than X?

-DK

> -----Original Message-----
> From: Chris Corbett [mailto:ccorbettaspenwood.com]
> Sent: Thursday, April 17, 2003 4:18 PM
> To: incidentssecurityfocus.org
> Subject: IP Spoofs in the log - not sure what to do next
>
>
> I have been observing this list for a while and believe this
> is the right forum for this post. If not, direct me elsewhere
> I am seeing a steady stream of IP Spoofs in a firewall log we
> track for a client. Here is a sample 04/16/2003 10:08:15.624
> - IP spoof detected - Source:172.175.86.24, LAN-
> Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx
>
> All of the sources lead back to 172.128.x.x, 172.162.x.x,
> 172.138.x.x or 172.175.x.x which show up as AOL registered IP
> addresses (whois lookup)
>
> The destination addresses seem to be random, 24.191.183.249,
> 64.1.1.34,
> 216.160.20.203 .....nothing I can decipher as a pattern and
> nothing close to the network this firewall is "protecting".
>
> The MAC address listed in the spoof is the same every time,
> ironically an Apple computer on this network. This user (on
> the Apple) will occasionally use AOL mail via the web (I
> can't stop them), but they are not using AOL as their ISP.
> It's a DSL circuit and ISP services from another provider.
>
> I am still learning about IP Spoofing and I don't want to
> overreact, but from what I read, spoofs should be
> investigated further and I am at a point where I am not sure
> what to look at next. The spoof is being detected by the
> firewall and therefore denied, but what else should I be
> looking for to make sure this is harmless?
>
> Is it someone trying to use this network to spoof another network?
>
> Could it be possible that this Apple machine is being
> compromised in some way and being used for spoof attempts?
>
> Chris Corbett
> Aspenwood Technologies, LTD
> ccorbettaspenwood.com
> Denver, CO
>
> Chris Corbett
> Aspenwood Technologies, LTD
> Denver, CO
> 303-733-0044 x 303
> 303-733-4466
>
>
>
>
> --------------------------------------------------------------
> --------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches. Deadline for the best rates is April 25.
> Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-incidents
> --------------------------------------------------------------
> --------------
>
>

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------