PC Pals Forum

Technical Help & Discussion => Broadband, Networking, PC Security, Internet & ISPs => Topic started by: DJ on December 08, 2003, 21:50

Title: Router Log - IP Spoofing
Post by: DJ on December 08, 2003, 21:50
Hi All,

I have a wireless internet setup and every night my lovely Netgear DG824M wireless modem and router sends me a log by email.  Usually they are something like...

Sun, 2003-12-07 19:19:01 - UDP packet dropped - Source:xxx.xxx.xx.xxx
,1030 WAN - Destination:xx.xxx.xxx.xx.xxx LAN - [Inbound Default rule match]

replicated over and over again.

(Where xx are ip addresses)

But tonight i got an alert that looks like this:

2003-12-08 22:30:31 - IP Spoofing - Source:xxx.xxx.xxx.xxx
,0,LAN - Destination:xxx.xxx.xxx.xxx,0,WAN

What does 'IP Spoofing' mean, are there an actions I should take and what can I do to prevent it.  ???

Whilst I'm on about these netgear logs - are there any programs available to analyse them - usually I just put them in an email folder - but it would be handy if I knew what they mean  ::)

Thanks all again,

DJ
Title: Re:Router Log - IP Spoofing
Post by: TR on December 08, 2003, 22:07
IP spoofing is a method of attacking a network in order to gain unauthorized access.

But dont ask me how to stop it... ???



Quote
A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
Title: Re:Router Log - IP Spoofing
Post by: Adept on December 09, 2003, 07:09
I wouldn't worry about it too much DJ. The log file comes from the Netgear's built-in firewall. It is telling you that it has detected a particular form of attack and blocked it.

Have a look at http://www.securityfocus.com/infocus/1674 for a (slightly technical) explanation of IP Spoofing :)
Title: Re:Router Log - IP Spoofing
Post by: DJ on December 09, 2003, 10:13
Ok - Thanks all.

I won't worry about it then - glad the firewalls doing its job.

DJ
Title: Re:Router Log - IP Spoofing
Post by: DJ on December 27, 2003, 18:31
Still getting these IP Spoofing messages nearly every day now - all with the same IP address.

If I add the IP address to my banned list on my router - would it have any bad effects? Also would I add it to the outbound or inbound list?

Thanks
 ;D
DJ
Title: Re:Router Log - IP Spoofing
Post by: Adept on December 27, 2003, 23:10
Quote from: DJ1UK on December 27, 2003, 18:31

If I add the IP address to my banned list on my router - would it have any bad effects? Also would I add it to the outbound or inbound list?


Only if you need to connect to something which happens to be on that IP address. Is it the same address every time DJ or a range? If is one IP, I would complain about it to your ISP's abuse department.

Title: Re:Router Log - IP Spoofing
Post by: DJ on December 28, 2003, 11:59
:thanks: Adept :adept:

Yes it's the same IP address every time the alert looks like the following:

Code: [Select]
<br />2003-12-08 22:30:31 - IP Spoofing - Source:<br />xxx.xxx.xxx.xxx,0,LAN - Destination:yyy.yyy.yyy.yyy,0,WAN<br />

the xxx &amp; yyy are the ip address which are always the same.

I think an email to my ISP is in order - I'll do that today.

Ta  ;)

DJ
Title: Re:Router Log - IP Spoofing
Post by: Adept on December 28, 2003, 16:16
Quote from: DJ1UK on December 28, 2003, 11:59

:thanks: Adept :adept:

Yes it's the same IP address every time


PM me the IP address would you? I'll do some &quot;research&quot; :)

Title: Re:Router Log - IP Spoofing
Post by: DJ on December 28, 2003, 16:44
I emailed my ISP and got the following response...

Quote
Dear customer - 169.x is an address which is assigned by windows to the local machine if it cannot detect a hdcp assigned address properly and so you would in effect be banning your own machine. Thanks.


I didn't realise this about 169.xxx  ::)

Still don't know why its happening though - adept you have a PM  :P

DJ
Title: Re:Router Log - IP Spoofing
Post by: Adept on December 28, 2003, 16:57
Yes, they are right DJ :)

The 169.254.xxx.xxx address range is a local one that Windows XP uses when it cannot get a &quot;proper&quot; address using DHCP. So the IP spoofing is coming from your own PC ::)

I know it's annoying, but I wouldn't worry about it :)

Title: Re:Router Log - IP Spoofing
Post by: DJ on December 28, 2003, 17:12
:doh: Oh well - nevermind.

Just off to do 100 lines.

I must stop spoofing myself
I must stop spoofing myself
I must stop spoofing myself

 :o  ;)  :P

Thanks again :adept:

DJ
Title: Re:Router Log - IP Spoofing
Post by: Adept on December 28, 2003, 17:13
Quote from: DJ1UK on December 28, 2003, 17:12

I must stop spoofing myself


If you don't you'll go blind ;)  :hatoff: :waving:
Title: Re:Router Log - IP Spoofing
Post by: DJ on January 06, 2004, 18:30
Hi again Adept :waving:

Been getting these Spoofing alerts now coming from 239.254.xxx.xxx

Am I still ok to ignore these or is there something dodgy going on?  :-\

DJ
Title: Re:Router Log - IP Spoofing
Post by: Adept on January 06, 2004, 19:35
Quote from: DJ1UK on January 06, 2004, 18:30

Been getting these Spoofing alerts now coming from 239.254.xxx.xxx


Hi DJ :waving: back at you :)

I'm sure it's OK for you to ignore these - they are an indication that your router is doing its job properly :)

Title: Re:Router Log - IP Spoofing
Post by: DJ on January 06, 2004, 20:13
Cheers Adept. :wave: :banana:

Just thought I'd make sure.

DJ  ;)


edit - cos eye kant spel.