If its MAC based spooing then the problem lies on your physical network segments the firewall connects to. However, re-reading your email your not specific so this may indicate its IP spoofing coming from the same MAC address i.e. your router, since MAC addresses are only relevant to the current physical network segment. If its MAC spoofing: If the firewall is NT/UNIX based doing an arp -a will show you the mapping of IP addresses to the MAC addresses that the firewall knows about. Cisco routers/switches can be also aid in this be doing show ip arp. If your LAN infrastructure is Cisco based you could find out the exact port(s) the spoffing MAC are attached to and thus isolate the machine(s) causing this issue. Which interface is the MAC spoofing occuring on? This should help you isolate the threat area to internal/external. Other things to consider would be the mthod of Internet connectivity, as I've heard, but yet to see, that some Cable based access methods can propogate MAC addresses from neighbours on the same Cable bearer. Of course, if the offender is infact spoofing MAC through a tools based around libnet, or have reprogrammed the MAC address this may not help. I think next steps would be: - Clarify if its IP spoofing, or MAC spoofing If its MAC spoofing - Identify the interface of your firewall reporting this issue - If its internal then start investigating your hub/switches for port MAC - If its external then look at the elements you can manage i.e. Hub? router? - Hopefully find the cluprit Hope this helps, --Gareth -----Original Message----- From: Solomon, Charlie [mailto:clsolomon@private] Sent: 07 November 2001 18:39 To: 'crime@private' Subject: Tracking Spoofs My firewall has been reporting to me periodic spoof attacks from the same MAC address ever since I installed the firewall. Does anyone have any resources that would help me track down that NIC? Is this something I should get the FBI involved in? I imagine, because it's a spoof and because it doesn't appear the attack is working and yet continues, that it's just some kid playing with his scripts, but that doesn't change the situation for me, either! Thanks in advance. Charlie Solomon Information Systems Director American Orient Express <mailto:clsolomon@private> Voice: (503) 226-8181 Fax: (503) 226-8128
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:30:49 PDT