Re: FW: IP Spoofs in the log - not sure what to do next

• Previous message: Nikola Pepelishev: "Re: msamba"
• In reply to: crawford charles: "Re: FW: IP Spoofs in the log - not sure what to do next"
• Next in thread: aladin168: "Re: IP Spoofs in the log - not sure what to do next"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 22 Apr 2003 01:13:52 -0700
To: "crawford charles" <biv0uac17@hotmail.com>, ccorbett@aspenwood.com
From: David Hawley <rhino007_us@yahoo.com>

At 05:30 PM 4/21/2003 +0000, crawford charles wrote:
>Is he terminating a tunnel?
>
>C.
>
>>From: Chris Corbett [mailto:ccorbett@aspenwood.com]
>>Sent: Thursday, April 17, 2003 6:18 PM
>>To: incidents@securityfocus.org
>>Subject: IP Spoofs in the log - not sure what to do next
>>
>>
>>I have been observing this list for a while and believe this is the right
>>forum for this post. If not, direct me elsewhere
>>I am seeing a steady stream of IP Spoofs in a firewall log we track for a
>>client. Here is a sample
>>04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN-
>>Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx

Chris, I will provide some general thoughts, and others will no doubt
narrow it down. Try and look at this "holistically"
(from all 10 domains of network security). Physically it could be
something that an application on that "phat mac" is
doing, or initiated, perhaps at home over DSL. (such as a background
picture exchange service, or even what I like to
call a "denial of service pop-up application" virus.... those annoying
programs that load onto a PC from HTML...)
---------------------
Also holistically we know that there is a never-ending river of port scans,
hacker attempts, "tests" by our Govt, experiments,
etc across the Internet; 24/7 365 days a year (look on any hi profile
firewall). So of course harden your firewalls (both
Bastion Hosts and routers, remember to do the usual things like harden SNMP
passwd's).

My last contract was with ATSSI.... I don't know how far they have come
with their products or research, but we were looking
for a suite of security software that floated above all other network
devices and proactivly tuned the network (routers, firewalls,
IDS, sacrificial lambs, internal servers, and hosts, for security based
upon conditions at the time.

Don't forger the host security... C2 has been a reality for decades in
UNIX, also B1 and even A systems... where is Windows?

LOL, david

David R. Hawely, ceo/president, CISSP
UNIX & NT NETWORK SECURITY, LLC
WWW.123NETSECURITY.NET

>>All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or
>>172.175.x.x which show up as AOL registered IP addresses (whois lookup)
>>
>>The destination addresses seem to be random, 24.191.183.249, 64.1.1.34,
>>216.160.20.203 .....nothing I can decipher as a pattern and nothing close to
>>the network this firewall is "protecting".
>>
>>The MAC address listed in the spoof is the same every time, ironically an
>>Apple computer on this network. This user (on the Apple) will occasionally
>>use AOL mail via the web (I can't stop them), but they are not using AOL as
>>their ISP. It's a DSL circuit and ISP services from another provider.
>>
>>I am still learning about IP Spoofing and I don't want to overreact, but
>>from what I read, spoofs should be investigated further and I am at a point
>>where I am not sure what to look at next. The spoof is being detected by the
>>firewall and therefore denied, but what else should I be looking for to make
>>sure this is harmless?
>>
>>Is it someone trying to use this network to spoof another network?
>>
>>Could it be possible that this Apple machine is being compromised in some
>>way and being used for spoof attempts?
>>
>>Chris Corbett
>>Aspenwood Technologies, LTD
>>ccorbett@aspenwood.com
>>Denver, CO
>>
>>Chris Corbett
>>Aspenwood Technologies, LTD
>>Denver, CO
>>303-733-0044 x 303
>>303-733-4466
>>
>>
>>
>>
>>----------------------------------------------------------------------------
>>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>>world's premier event for IT and network security experts. The two-day
>>Training features 6 hand-on courses on May 12-13 taught by professionals.
>>The two-day Briefings on May 14-15 features 24 top speakers with no vendor
>>sales pitches. Deadline for the best rates is April 25. Register today to
>>ensure your place. http://www.securityfocus.com/BlackHat-incidents
>>----------------------------------------------------------------------------
>
>
>_________________________________________________________________
>Tired of spam? Get advanced junk mail protection with MSN 8.
>http://join.msn.com/?page=features/junkmail
>
>
>----------------------------------------------------------------------------
>Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
>world's premier event for IT and network security experts. The two-day
>Training features 6 hand-on courses on May 12-13 taught by professionals.
>The two-day Briefings on May 14-15 features 24 top speakers with no vendor
>sales pitches. Deadline for the best rates is April 25. Register today
>to ensure your place. http://www.securityfocus.com/BlackHat-incidents
>----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------

• Previous message: Nikola Pepelishev: "Re: msamba"
• In reply to: crawford charles: "Re: FW: IP Spoofs in the log - not sure what to do next"
• Next in thread: aladin168: "Re: IP Spoofs in the log - not sure what to do next"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]