 |  |  |  |  |  |  |  |
Spoof Attacks serious or ho-hum?
 |
I try to do network work for a small financial company. I reformatted everything with a circuit board after a string of 'impossible' problems - Workgroups switched to Domains overnight, Internet was half blocked on different machines, Outlook accounts switched permissions.
The whole thing was back up three weeks ago. Last week, complaints started coming back in about odd-ball Internet connections again. Fearing the worst, I ran firewall reports and logs and Keystroke reports (shame on me, but I had to know if the client was responsible).
Turns out, one office-mate keeps quietly hooking up a D-Link WAP (DI-624). The office is in a building of other, near offices. The D-Link router used for the office (DI-604) reported this sort of thing:
Jun/22/2005 DHCP lease IP 192.168.0.102 to DI-624 08-00-46-CB-E5-B7
Jun/22/2005 Target IP (255.255.255.255) Target Port (67) Packet Dropped
Jun/22/2005 Spoof IP (0.0.0.0.) Spoof Port (68)
Jun/22/2005 Spoof Attack fromd [sic] MAC (08-00-46-CB-E5-B7) Detect.
This happens +/- FIFTY more times in the next eight minutes, then all is quiet (I created this log an hour an a half later). I showed this log to the boss to illustrate that I wasn't a complete incompentent (he just knows that things should work) and I had words with the WAP/noWEP chump who invited trouble. I got a shrug from him.
It's still going to be a thankless office, but it's a financial office - Department of Homeland Security requires that such offices share events like this, heaven forbid, someone got account numbers, etc. I'm just getting the drift of packet sniffing and spoofing and all this, so my question is, based on the above, is this logged attack indicative of something mundane, or something more malicious and intentional? Was someone actually targetting the financial office when WAP/noWEP was available?
All 20 pages of that DI-604 log repeat the same thing with subtle variation; there was no even spread or pattern between spoofing/targeting Ports 68 and 67.
The whole thing was back up three weeks ago. Last week, complaints started coming back in about odd-ball Internet connections again. Fearing the worst, I ran firewall reports and logs and Keystroke reports (shame on me, but I had to know if the client was responsible).
Turns out, one office-mate keeps quietly hooking up a D-Link WAP (DI-624). The office is in a building of other, near offices. The D-Link router used for the office (DI-604) reported this sort of thing:
Jun/22/2005 DHCP lease IP 192.168.0.102 to DI-624 08-00-46-CB-E5-B7
Jun/22/2005 Target IP (255.255.255.255) Target Port (67) Packet Dropped
Jun/22/2005 Spoof IP (0.0.0.0.) Spoof Port (68)
Jun/22/2005 Spoof Attack fromd [sic] MAC (08-00-46-CB-E5-B7) Detect.
This happens +/- FIFTY more times in the next eight minutes, then all is quiet (I created this log an hour an a half later). I showed this log to the boss to illustrate that I wasn't a complete incompentent (he just knows that things should work) and I had words with the WAP/noWEP chump who invited trouble. I got a shrug from him.
It's still going to be a thankless office, but it's a financial office - Department of Homeland Security requires that such offices share events like this, heaven forbid, someone got account numbers, etc. I'm just getting the drift of packet sniffing and spoofing and all this, so my question is, based on the above, is this logged attack indicative of something mundane, or something more malicious and intentional? Was someone actually targetting the financial office when WAP/noWEP was available?
All 20 pages of that DI-604 log repeat the same thing with subtle variation; there was no even spread or pattern between spoofing/targeting Ports 68 and 67.
|
Similar Threads
- This Should be Easy for You Guys! (Linux Servers and Apache)
- Blocking Brute-Force Attacks (ASP.NET)
- Web site attacks? (Network Security)
- Firewall attacks, how many is normal? (Viruses, Spyware and other Nasties)
Other Threads in the Network Security Forum
- Previous Thread: some sort of security problem?
- Next Thread: Battle of the botnets
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Network Security Posts
- Today's Posts
- Unanswered Threads
2008 adobe advice antivirus apple banking blackhat botnet browser business china confidentiality crack crime cybercrime daniweb data database dataloss dataprotection development email emailretention encryption europe exploit facebook fail firefox flash forensic fraud gmail google government hack hacker hacking hardware hotmail identitytheft idtheft information internet iphone kaspersky koobface law linux malware mcafee mckinnon microsoft military mobile music nasa nationalsecurity network networks news obama password passwords pentagon phishing php politics privacy report research review sans satnav scam school search security skype socialnetworking software spam sqlinjection survey symantec symbian terrorism terrorist theft trends trojan twitter uk usb virus vulnerability web worm yahoo zeroday
