Page 1 of 1
IP being spoofed
Posted: Sun Feb 20, 2005 9:35 am
by whuppinboy
i opened up my router log and found this:
2005/02/20 10:04:28 ** IP Spoofing ** <IP/UDP> xxx.xxx.x.x:xxxx ->> xxx.xxx.x.x:xx
i'm on a wireless network that's secured with only WEP at 128 bit encryption, i've mac filtered and there's only two connected clients (desktop and laptop). i've scanned for the ringzero trojan and the executor trojan and have come up with nothing.
google isn't much help on stopping ip spoofing and i've searched on dslreports and the H forums to no avail.
any ideas or suggestions?
Posted: Sun Feb 20, 2005 12:48 pm
by Mobius
Why do you care? Even MAC filtering alone is enough security.
Posted: Sun Feb 20, 2005 12:55 pm
by fliptw
Mobius wrote:Why do you care? Even MAC filtering alone is enough security.
You are an idiot mobius.
Its damned easy to bypass MAC filtering.
WEP is too weak, even at 128-bit. WPA is much better.
Was it spoofing an extrenal or internal IP? Im guessing internal.
Posted: Sun Feb 20, 2005 1:07 pm
by whuppinboy
it was spoofing my internal ip. here's what sygate is showing:
2/20/2005 1:58:12 PM
Allowed 10
Outgoing
UDP xxx.xxx.x.xxx
FF-FF-FF-FF-FF-FF<--remote MAC (i did not change the address)
138
xxx.xxx.x.xx
xx-xx-xx-xx-xx-xx <--my MAC
138
C:\WINDOWS\system32\ntoskrnl.exe
Owner my computer name
Normal 1
2/20/2005 1:57:11 PM
2/20/2005 1:57:11 PM
GUI%GUICONFIG#SRULE@NBENABLEYOU#ALLOW-UDP
i'm just wondering if i should be worried, it's causing countless logs to generate in my router log.
Posted: Sun Feb 20, 2005 1:43 pm
by Avder
If its using an All F's MAC address, is it even possible for ARP to work with it? Correct me if I'm wrong, but isnt the all F's mac address reserved for broadcasts?
Also, Mobius, STFU.
Posted: Sun Feb 20, 2005 3:38 pm
by whuppinboy
sorry but what's ARP? and i'm not sure what an all "F" MAC address represents.
Posted: Sun Feb 20, 2005 6:49 pm
by DCrazy
ARP is what converts IP addresses into MAC (hardware) addresses. A MAC address of FF:FF:FF:FF:FF:FF cannot exist; if a device tries to send a message to FF:FF:FF:FF:FF:FF, it gets broadcast to everyone on the network.
See
http://www.geocities.com/SiliconValley/ ... k/arp.html for more info.
Posted: Mon Feb 21, 2005 5:22 am
by whuppinboy
damn work filter won't let me thru
will have to wait till tonight.
but if you're saying that the all "F" MAC broadcasts to everyone on the network, you're meaning my home network right? or the other wireless networks in my cul de sac?
Posted: Mon Feb 21, 2005 6:10 am
by Tricord
No, only your own network of course. Networks are not supposed to interact or you'd get all kinds of weird ★■◆● happening.
It's probably nothing. Chances are there's a bug in the router firmware that makes it think there's some spoofing going on.
With WEP and MAC security enabled, you're safe from most things save the FBI and other agencies
Posted: Mon Feb 21, 2005 5:17 pm
by whuppinboy
thanks for the replies.
good stuff in that linky Dcrazy, thanks.
Posted: Mon Feb 21, 2005 11:25 pm
by MD-2389
Just to be on the safe side, look for a firmware update that allows you to use WPA. Its alot more secure than WEP. (Any scriptkiddie with a few hours to kill can break WEP with ease.)
Posted: Mon Feb 28, 2005 7:30 pm
by whuppinboy
i've purchased a linksys router (wrt54g) with WPA encryption and i must say, belkin sucks!
got it installed tonight and no ip spoofing messages, no bandwith leeches and from this website:
http://www.grc.com/default.htm
using the "shields up" testing, i am fully stealthed out!
