Topic: Router Log - IP Spoofing

[DJ]

Hi All,

I have a wireless internet setup and every night my lovely Netgear DG824M wireless modem and router sends me a log by email.  Usually they are something like...

Sun, 2003-12-07 19:19:01 - UDP packet dropped - Source:xxx.xxx.xx.xxx
,1030 WAN - Destination:xx.xxx.xxx.xx.xxx LAN - [Inbound Default rule match]

replicated over and over again.

(Where xx are ip addresses)

But tonight i got an alert that looks like this:

2003-12-08 22:30:31 - IP Spoofing - Source:xxx.xxx.xxx.xxx
,0,LAN - Destination:xxx.xxx.xxx.xxx,0,WAN

What does 'IP Spoofing' mean, are there an actions I should take and what can I do to prevent it.  

Whilst I'm on about these netgear logs - are there any programs available to analyse them - usually I just put them in an email folder - but it would be handy if I knew what they mean  

Thanks all again,

DJ

[TR]

IP spoofing is a method of attacking a network in order to gain unauthorized access.

But dont ask me how to stop it...

A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

[Adept]

I wouldn't worry about it too much DJ. The log file comes from the Netgear's built-in firewall. It is telling you that it has detected a particular form of attack and blocked it.

Have a look at http://www.securityfocus.com/infocus/1674 for a (slightly technical) explanation of IP Spoofing

[DJ]

Ok - Thanks all.

I won't worry about it then - glad the firewalls doing its job.

DJ

[DJ]

Still getting these IP Spoofing messages nearly every day now - all with the same IP address.

If I add the IP address to my banned list on my router - would it have any bad effects? Also would I add it to the outbound or inbound list?

Thanks
 
DJ

[Adept]

If I add the IP address to my banned list on my router - would it have any bad effects? Also would I add it to the outbound or inbound list?

Only if you need to connect to something which happens to be on that IP address. Is it the same address every time DJ or a range? If is one IP, I would complain about it to your ISP's abuse department.

[DJ]

Adept :adept:

Yes it's the same IP address every time the alert looks like the following:

Code: [Select]

<br />2003-12-08 22:30:31 - IP Spoofing - Source:<br />xxx.xxx.xxx.xxx,0,LAN - Destination:yyy.yyy.yyy.yyy,0,WAN<br />

the xxx & yyy are the ip address which are always the same.

I think an email to my ISP is in order - I'll do that today.

Ta  

DJ

[Adept]

Adept :adept:

Yes it's the same IP address every time

PM me the IP address would you? I'll do some "research"

[DJ]

I emailed my ISP and got the following response...

Dear customer - 169.x is an address which is assigned by windows to the local machine if it cannot detect a hdcp assigned address properly and so you would in effect be banning your own machine. Thanks.

I didn't realise this about 169.xxx  

Still don't know why its happening though - adept you have a PM  

DJ

[Adept]

Yes, they are right DJ

The 169.254.xxx.xxx address range is a local one that Windows XP uses when it cannot get a "proper" address using DHCP. So the IP spoofing is coming from your own PC

I know it's annoying, but I wouldn't worry about it

[DJ]

Oh well - nevermind.

Just off to do 100 lines.

I must stop spoofing myself
I must stop spoofing myself
I must stop spoofing myself

     

Thanks again :adept:

DJ

[Adept]

I must stop spoofing myself

If you don't you'll go blind   :waving:

[DJ]

Hi again Adept :waving:

Been getting these Spoofing alerts now coming from 239.254.xxx.xxx

Am I still ok to ignore these or is there something dodgy going on?  

DJ

[Adept]

Been getting these Spoofing alerts now coming from 239.254.xxx.xxx

Hi DJ :waving: back at you

I'm sure it's OK for you to ignore these - they are an indication that your router is doing its job properly

[DJ]

Cheers Adept.

Just thought I'd make sure.

DJ  


edit - cos eye kant spel.