I try to do network work for a small financial company. I reformatted everything with a circuit board after a string of 'impossible' problems - Workgroups switched to Domains overnight, Internet was half blocked on different machines, Outlook accounts switched permissions.

The whole thing was back up three weeks ago. Last week, complaints started coming back in about odd-ball Internet connections again. Fearing the worst, I ran firewall reports and logs and Keystroke reports (shame on me, but I had to know if the client was responsible).

Turns out, one office-mate keeps quietly hooking up a D-Link WAP (DI-624). The office is in a building of other, near offices. The D-Link router used for the office (DI-604) reported this sort of thing:

Jun/22/2005 DHCP lease IP to DI-624 08-00-46-CB-E5-B7
Jun/22/2005 Target IP ( Target Port (67) Packet Dropped
Jun/22/2005 Spoof IP ( Spoof Port (68)
Jun/22/2005 Spoof Attack fromd [sic] MAC (08-00-46-CB-E5-B7) Detect.

This happens +/- FIFTY more times in the next eight minutes, then all is quiet (I created this log an hour an a half later). I showed this log to the boss to illustrate that I wasn't a complete incompentent (he just knows that things should work) and I had words with the WAP/noWEP chump who invited trouble. I got a shrug from him.

It's still going to be a thankless office, but it's a financial office - Department of Homeland Security requires that such offices share events like this, heaven forbid, someone got account numbers, etc. I'm just getting the drift of packet sniffing and spoofing and all this, so my question is, based on the above, is this logged attack indicative of something mundane, or something more malicious and intentional? Was someone actually targetting the financial office when WAP/noWEP was available?

All 20 pages of that DI-604 log repeat the same thing with subtle variation; there was no even spread or pattern between spoofing/targeting Ports 68 and 67.

13 Years
Discussion Span
Last Post by BryanA917

Did you have some info to your problem ?
I've got the same...

thanks for your help


The info was that a serious problem was created by an employee 'harmlessly' dragging in a router with him to work. Without any encryption, other people in the building itself gained access to potentially sensitive information - I no longer work with that client.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.