|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: FW: IP Spoofs in the log - not sure what to do next
From: crawford charles (biv0uac17
hotmail.com)
Date: Mon Apr 21 2003 - 12:30:52 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Is he terminating a tunnel?
C.
>From: Chris Corbett [mailto:ccorbettaspenwood.com]
>Sent: Thursday, April 17, 2003 6:18 PM
>To: incidentssecurityfocus.org
>Subject: IP Spoofs in the log - not sure what to do next
>
>
>I have been observing this list for a while and believe this is the right
>forum for this post. If not, direct me elsewhere
>I am seeing a steady stream of IP Spoofs in a firewall log we track for a
>client. Here is a sample
>04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN-
>Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx
>
>All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or
>172.175.x.x which show up as AOL registered IP addresses (whois lookup)
>
>The destination addresses seem to be random, 24.191.183.249, 64.1.1.34,
>216.160.20.203 .....nothing I can decipher as a pattern and nothing close
>to
>the network this firewall is "protecting".
>
>The MAC address listed in the spoof is the same every time, ironically an
>Apple computer on this network. This user (on the Apple) will occasionally
>use AOL mail via the web (I can't stop them), but they are not using AOL as
>their ISP. It's a DSL circuit and ISP services from another provider.
>
>I am still learning about IP Spoofing and I don't want to overreact, but
>from what I read, spoofs should be investigated further and I am at a point
>where I am not sure what to look at next. The spoof is being detected by
>the
>firewall and therefore denied, but what else should I be looking for to
>make
>sure this is harmless?
>
>Is it someone trying to use this network to spoof another network?
>
>Could it be possible that this Apple machine is being compromised in some
>way and being used for spoof attempts?
>
>Chris Corbett
>Aspenwood Technologies, LTD
>ccorbettaspenwood.com
>Denver, CO
>
>Chris Corbett
>Aspenwood Technologies, LTD
>Denver, CO
>303-733-0044 x 303
>303-733-4466
>
>
>
>
>----------------------------------------------------------------------------
>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>world's premier event for IT and network security experts. The two-day
>Training features 6 hand-on courses on May 12-13 taught by professionals.
>The two-day Briefings on May 14-15 features 24 top speakers with no vendor
>sales pitches. Deadline for the best rates is April 25. Register today to
>ensure your place. http://www.securityfocus.com/BlackHat-incidents
>----------------------------------------------------------------------------
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8.
http://join.msn.com/?page=features/junkmail
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]