IP being spoofed

whuppinboy · Post by **whuppinboy** » Sun Feb 20, 2005 9:35 am

i opened up my router log and found this:

2005/02/20 10:04:28 ** IP Spoofing ** <IP/UDP> xxx.xxx.x.x:xxxx ->> xxx.xxx.x.x:xx

i'm on a wireless network that's secured with only WEP at 128 bit encryption, i've mac filtered and there's only two connected clients (desktop and laptop). i've scanned for the ringzero trojan and the executor trojan and have come up with nothing.

google isn't much help on stopping ip spoofing and i've searched on dslreports and the H forums to no avail.

any ideas or suggestions?

Mobius · Post by **Mobius** » Sun Feb 20, 2005 12:48 pm

Why do you care? Even MAC filtering alone is enough security.

fliptw · Post by **fliptw** » Sun Feb 20, 2005 12:55 pm

Mobius wrote:Why do you care? Even MAC filtering alone is enough security.

You are an idiot mobius.

Its damned easy to bypass MAC filtering.

WEP is too weak, even at 128-bit. WPA is much better.

Was it spoofing an extrenal or internal IP? Im guessing internal.

whuppinboy · Post by **whuppinboy** » Sun Feb 20, 2005 1:07 pm

it was spoofing my internal ip. here's what sygate is showing:

2/20/2005 1:58:12 PM
Allowed 10
Outgoing
UDP xxx.xxx.x.xxx
FF-FF-FF-FF-FF-FF<--remote MAC (i did not change the address)
138
xxx.xxx.x.xx
xx-xx-xx-xx-xx-xx <--my MAC
138
C:\WINDOWS\system32\ntoskrnl.exe
Owner my computer name
Normal 1
2/20/2005 1:57:11 PM
2/20/2005 1:57:11 PM
GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP

i'm just wondering if i should be worried, it's causing countless logs to generate in my router log.

Avder · Post by **Avder** » Sun Feb 20, 2005 1:43 pm

If its using an All F's MAC address, is it even possible for ARP to work with it? Correct me if I'm wrong, but isnt the all F's mac address reserved for broadcasts?

Also, Mobius, STFU.

whuppinboy · Post by **whuppinboy** » Sun Feb 20, 2005 3:38 pm

sorry but what's ARP? and i'm not sure what an all "F" MAC address represents.

DCrazy · Post by **DCrazy** » Sun Feb 20, 2005 6:49 pm

ARP is what converts IP addresses into MAC (hardware) addresses. A MAC address of FF:FF:FF:FF:FF:FF cannot exist; if a device tries to send a message to FF:FF:FF:FF:FF:FF, it gets broadcast to everyone on the network.

See http://www.geocities.com/SiliconValley/ ... k/arp.html for more info.

whuppinboy · Post by **whuppinboy** » Mon Feb 21, 2005 5:22 am

damn work filter won't let me thru

will have to wait till tonight.

but if you're saying that the all "F" MAC broadcasts to everyone on the network, you're meaning my home network right? or the other wireless networks in my cul de sac?

Tricord · Post by **Tricord** » Mon Feb 21, 2005 6:10 am

No, only your own network of course. Networks are not supposed to interact or you'd get all kinds of weird ★■◆● happening.

It's probably nothing. Chances are there's a bug in the router firmware that makes it think there's some spoofing going on.

With WEP and MAC security enabled, you're safe from most things save the FBI and other agencies

whuppinboy · Post by **whuppinboy** » Mon Feb 21, 2005 5:17 pm

thanks for the replies.

good stuff in that linky Dcrazy, thanks.

MD-2389 · Post by **MD-2389** » Mon Feb 21, 2005 11:25 pm

Just to be on the safe side, look for a firmware update that allows you to use WPA. Its alot more secure than WEP. (Any scriptkiddie with a few hours to kill can break WEP with ease.)

whuppinboy · Post by **whuppinboy** » Mon Feb 28, 2005 7:30 pm

i've purchased a linksys router (wrt54g) with WPA encryption and i must say, belkin sucks!

got it installed tonight and no ip spoofing messages, no bandwith leeches and from this website:
http://www.grc.com/default.htm

using the "shields up" testing, i am fully stealthed out!