RE: Tracking Spoofs

From: Bromley, Gareth ( PSO ) (bromg2@private)
Date: Thu Nov 08 2001 - 01:55:29 PST

Previous message: Steve Nichols: "RE: NIPC Daily Report 6 November 2001"
Maybe in reply to: Solomon, Charlie: "Tracking Spoofs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If its MAC based spooing then the problem lies on your physical network
segments the firewall connects to. However, re-reading your email your not
specific so this may indicate its IP spoofing coming from the same MAC
address i.e. your router, since MAC addresses are only relevant to the
current physical network segment.

If its MAC spoofing:
If the firewall is NT/UNIX based doing an arp -a will show you the mapping
of IP addresses to the MAC addresses that the firewall knows about.

Cisco routers/switches can be also aid in this be doing show ip arp. If your
LAN infrastructure is Cisco based you could find out the exact port(s) the
spoffing MAC are attached to and thus isolate the machine(s) causing this
issue.

Which interface is the MAC spoofing occuring on? This should help you
isolate the threat area to internal/external. Other things to consider would
be the mthod of Internet connectivity, as I've heard, but yet to see, that
some Cable based access methods can propogate MAC addresses from neighbours
on the same Cable bearer.

Of course, if the offender is infact spoofing MAC through a tools based
around libnet, or have reprogrammed the MAC address this may not help. 

I think next steps would be:
- Clarify if its IP spoofing, or MAC spoofing

If its MAC spoofing
- Identify the interface of your firewall reporting this issue
- If its internal then start investigating your hub/switches for port MAC
- If its external then look at the elements you can manage i.e. Hub? router?
- Hopefully find the cluprit

Hope this helps,

--Gareth
-----Original Message-----
From: Solomon, Charlie [mailto:clsolomon@private]
Sent: 07 November 2001 18:39
To: 'crime@private'
Subject: Tracking Spoofs


	My firewall has been reporting to me periodic spoof attacks from the
same MAC address ever since I installed the firewall.  Does anyone have any
resources that would help me track down that NIC?  Is this something I
should get the FBI involved in?  I imagine, because it's a spoof and because
it doesn't appear the attack is working and yet continues, that it's just
some kid playing with his scripts, but that doesn't change the situation for
me, either!

	Thanks in advance.


Charlie Solomon
Information Systems Director
American Orient Express
<mailto:clsolomon@private>
Voice:  (503) 226-8181
Fax:    (503) 226-8128

Next message: Anonymous: "RE: Scam"
Previous message: Steve Nichols: "RE: NIPC Daily Report 6 November 2001"
Maybe in reply to: Solomon, Charlie: "Tracking Spoofs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:49 PDT