[prev in list] [next in list] [prev in thread] [next in thread]
List: inet-access
Subject: ethernet IP spoofing?
From: Jason Philbrook <jp () saucer ! midcoast ! com>
Date: 2004-02-04 17:32:48
Message-ID: 20040204173248.GA14134 () saucer ! midcoast ! com
[Download RAW message or body]
We have what appears to be some spoofing going on in an ethernet network
shared by some wireless ethernet (proprietary technology) customers. No
wireless spoofing, but plain old IP spoofing perhaps virus related.
Perhaps I'm wrong and would love to know why. We tracked this down because
we were seeing broadcast traffic that appreared to come from this customer
and go to everyone judging by the shape of their outgoing traffic graphed,
and the shape of the incoming broadcast traffic to most of the other
people on that network.
Customer in question might have a virus or worm or something, I'm not
sure. It's a linksys CPE they have. Customer has the .175 address below,
our gateway is .129. Customer was not home at the time, does not have kids
at home, isn't the geek type, and is sufficiently geographically secluded
to prevent strangers from freeloading off a home wifi.
I did a tcpdump on our gateway that would display only the customers mac
address.
What's tripping me up is the line where .166 sends a packet to .183. I'm
not watching for either of those. They belong to other customers.
Anyone seen this in the past couple of days? On mrtg graphs, it shows up
as outgoing traffic which shows up as incoming traffic to other people on
the same ethernet network.
TIA,
Jason
[jp@basket jp]$ /sbin/arp -an |grep x.x.101.175
? (x.x.101.175) at 00:0C:41:85:B2:B9 [ether] on eth3
[root@basket root]# tcpdump -n -i eth3 ether src or dst 00:0C:41:85:B2:B9
tcpdump: listening on eth3
15:02:08.447480 x.x.101.129 > x.x.101.175: icmp: echo request (DF)
15:02:10.427457 arp who-has x.x.101.175 tell x.x.101.129
15:02:10.540265 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:06:29.295925 204.58.232.202.1067 > x.x.101.175.ms-sql-m: udp 376
15:06:29.366990 x.x.101.175 > 204.58.232.202: icmp: x.x.101.175 udp port ms-sql-m \
unreachable 15:06:34.287465 arp who-has x.x.101.175 tell x.x.101.129
15:06:34.299331 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:06:34.300019 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:06:34.307288 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:06:34.307794 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:06:58.340738 x.x.92.166 > x.x.101.175: icmp: echo request
15:06:58.518126 x.x.92.166 > x.x.101.183: icmp: echo request
15:15:56.501041 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:15:56.501049 221.12.114.123.1027 > x.x.101.175.netbios-ns: NBT UDP PACKET(137): \
QUERY; REQUEST; BROADCAST 15:15:56.501688 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:15:56.611665 x.x.101.175 > 221.12.114.123: icmp: x.x.101.175 udp port netbios-ns \
unreachable 15:15:56.957762 221.12.114.123.1027 > x.x.101.183.netbios-ns: NBT UDP \
PACKET(137): QUERY; REQUEST; BROADCAST
15:21:47.556233 63.208.193.241.3127 > x.x.101.175.3127: S156638086:156638086(0) win \
40 15:21:52.547461 arp who-has x.x.101.175 tell x.x.101.129
15:21:53.547456 arp who-has x.x.101.175 tell x.x.101.129
15:21:54.547456 arp who-has x.x.101.175 tell x.x.101.129
15:21:54.570952 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
15:21:54.571581 arp reply x.x.101.175 is-at 0:c:41:85:b2:b9
--
/*
Jason Philbrook | Midcoast Internet Solutions - Internet Access,
KB1IOJ | Hosting, and TCP-IP Networks for Midcoast Maine
http://f64.nu/ | http://www.midcoast.com/
*/
_______________________________________________
"Eat sushi frequently". - Avi
inet@inet-access.net is the human contact address.
list@inet-access.net is the list posting address.
See below URL for subscribe/unsubscribe and list options:
http://inet-access.net/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic