RE: Tracking Spoofs

From: Bromley, Gareth ( PSO ) (bromg2@private)
Date: Thu Nov 08 2001 - 01:55:29 PST

  • Next message: Anonymous: "RE: Scam"

    If its MAC based spooing then the problem lies on your physical network
    segments the firewall connects to. However, re-reading your email your not
    specific so this may indicate its IP spoofing coming from the same MAC
    address i.e. your router, since MAC addresses are only relevant to the
    current physical network segment.
    
    If its MAC spoofing:
    If the firewall is NT/UNIX based doing an arp -a will show you the mapping
    of IP addresses to the MAC addresses that the firewall knows about.
    
    Cisco routers/switches can be also aid in this be doing show ip arp. If your
    LAN infrastructure is Cisco based you could find out the exact port(s) the
    spoffing MAC are attached to and thus isolate the machine(s) causing this
    issue.
    
    Which interface is the MAC spoofing occuring on? This should help you
    isolate the threat area to internal/external. Other things to consider would
    be the mthod of Internet connectivity, as I've heard, but yet to see, that
    some Cable based access methods can propogate MAC addresses from neighbours
    on the same Cable bearer.
    
    Of course, if the offender is infact spoofing MAC through a tools based
    around libnet, or have reprogrammed the MAC address this may not help. 
    
    I think next steps would be:
    - Clarify if its IP spoofing, or MAC spoofing
    
    If its MAC spoofing
    - Identify the interface of your firewall reporting this issue
    - If its internal then start investigating your hub/switches for port MAC
    - If its external then look at the elements you can manage i.e. Hub? router?
    - Hopefully find the cluprit
    
    Hope this helps,
    
    --Gareth
    -----Original Message-----
    From: Solomon, Charlie [mailto:clsolomon@private]
    Sent: 07 November 2001 18:39
    To: 'crime@private'
    Subject: Tracking Spoofs
    
    
    	My firewall has been reporting to me periodic spoof attacks from the
    same MAC address ever since I installed the firewall.  Does anyone have any
    resources that would help me track down that NIC?  Is this something I
    should get the FBI involved in?  I imagine, because it's a spoof and because
    it doesn't appear the attack is working and yet continues, that it's just
    some kid playing with his scripts, but that doesn't change the situation for
    me, either!
    
    	Thanks in advance.
    
    
    Charlie Solomon
    Information Systems Director
    American Orient Express
    <mailto:clsolomon@private>
    Voice:  (503) 226-8181
    Fax:    (503) 226-8128
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:49 PDT