('binary' encoding is not supported, stored as-is) In-Reply-To: <000b01c3074e$75f2dd40$6d00a8c0at_private> Quote from Curt Purdy: *** it is more difficult, though not impossible to spoof mac addresses. *** It's easy to spoof MAC addresses with SMAC utility: http://www.klcconsulting.net/smac Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klaiat_private www.klcconsulting.net >Received: (qmail 4216 invoked from network); 21 Apr 2003 17:19:23 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 21 Apr 2003 17:19:23 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 59ECAA30BE; Mon, 21 Apr 2003 11:23:53 -0600 (MDT) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 18698 invoked from network); 20 Apr 2003 14:52:15 -0000 >From: "Curt Purdy" <purdyat_private> >To: "'Chris Corbett'" <ccorbettat_private>, > <incidentsat_private> >Subject: RE: IP Spoofs in the log - not sure what to do next >Date: Sun, 20 Apr 2003 10:06:45 -0500 >Message-ID: <000b01c3074e$75f2dd40$6d00a8c0at_private> >MIME-Version: 1.0 >Content-Type: text/plain; > charset="us-ascii" >Content-Transfer-Encoding: 7bit >X-Priority: 3 (Normal) >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) >Importance: Normal >In-Reply-To: <002601c3052f$3110c410$160010acat_private> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 > >You did not specify whether the logs were ingress or egress, but considering >your notes, I will assume outgoing. Although it is relatively easy to spoof >ip addresses, it is more difficult, though not impossible to spoof mac >addresses. Therefore, I would assume that the Apple is the likely culprit, >whether compromised or spoofing at the direction of it's user. Either way, >you could confirm this box is the culprit by sniffing it's port on the >switch with tcpdump/ethereal/windoze sniffer. > >If this is not the box, you have a bigger problem on your hands. Also, I am >not sure why you are unable to stop the user from acessing AOL webmail. You >should be able to put an ACL in your router/firewall to prevent this. > >Curt Purdy CISSP, MCSE+I, CNE, CCDA >Information Security Engineer >DP Solutions >cpurdyat_private > >---------------------------------------- > >If you spend more on coffee than on IT security, you will be hacked. >What's more, you deserve to be hacked. >-- White House cybersecurity adviser Richard Clarke > > >-----Original Message----- >From: Chris Corbett [mailto:ccorbettat_private] >Sent: Thursday, April 17, 2003 5:18 PM >To: incidentsat_private >Subject: IP Spoofs in the log - not sure what to do next > > >I have been observing this list for a while and believe this is the right >forum for this post. If not, direct me elsewhere >I am seeing a steady stream of IP Spoofs in a firewall log we track for a >client. Here is a sample >04/16/2003 10:08:15.624 - IP spoof detected - Source:172.175.86.24, LAN- >Destination:24.191.183.249, WAN - MAC address: 00.90.27.xx.xx.xx > >All of the sources lead back to 172.128.x.x, 172.162.x.x, 172.138.x.x or >172.175.x.x which show up as AOL registered IP addresses (whois lookup) > >The destination addresses seem to be random, 24.191.183.249, 64.1.1.34, >216.160.20.203 .....nothing I can decipher as a pattern and nothing close to >the network this firewall is "protecting". > >The MAC address listed in the spoof is the same every time, ironically an >Apple computer on this network. This user (on the Apple) will occasionally >use AOL mail via the web (I can't stop them), but they are not using AOL as >their ISP. It's a DSL circuit and ISP services from another provider. > >I am still learning about IP Spoofing and I don't want to overreact, but >from what I read, spoofs should be investigated further and I am at a point >where I am not sure what to look at next. The spoof is being detected by the >firewall and therefore denied, but what else should I be looking for to make >sure this is harmless? > >Is it someone trying to use this network to spoof another network? > >Could it be possible that this Apple machine is being compromised in some >way and being used for spoof attempts? > >Chris Corbett >Aspenwood Technologies, LTD >ccorbettat_private >Denver, CO > >Chris Corbett >Aspenwood Technologies, LTD >Denver, CO >303-733-0044 x 303 >303-733-4466 > > > > >-------------------------------------------------------------------------- -- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >-------------------------------------------------------------------------- -- > > > >-------------------------------------------------------------------------- -- >Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the >world's premier event for IT and network security experts. The two-day >Training features 6 hand-on courses on May 12-13 taught by professionals. >The two-day Briefings on May 14-15 features 24 top speakers with no vendor >sales pitches. Deadline for the best rates is April 25. Register today to >ensure your place. http://www.securityfocus.com/BlackHat-incidents >-------------------------------------------------------------------------- -- > > ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 24 2003 - 10:25:30 PDT