R
Rich
OK, we've got this IP Spoofing problem with only one user
in XP (fully updated and patched). The netscreen
firewall has been giving us these error messages at least
once a day...
_____________________________
Alarm Logs Reported From: ns5xp
Event Alarms:
1. 2004-01-06 9:01:25 system-alert-00008: IP Spoofing
has been detected! From 172.167.160.119/123 to
140.221.8.88/123, protocol UDP (i/f trust)
______________________________
So I put ethereal on a computer off of a SPAN port
(mirrored to the firewall port) on our switch and captured
packets to get the mac address. From there I used the XP
util "getmac" and queried around our network until I found
the culprit. (My boss's computer, no less!) This is the
packet log (mac addresses removed)
_________________________________
Frame 3010 (90 bytes on wire, 90 bytes captured)
Arrival Time: Jan 6, 2004 09:01:18.689111000
Time delta from previous packet: 0.000040000 seconds
Time since reference or first frame: 415.441838000
seconds
Frame Number: 3010
Packet Length: 90 bytes
Capture Length: 90 bytes
Ethernet II, Src: <mac> Dst: <mac>
Destination: <mac> (Netscree_21:30:b0)
Source: <mac> (Intel_ef:02:81)
Type: IP (0x0800)
Internet Protocol, Src Addr: 172.167.160.119
(172.167.160.119), Dst Addr: 140.221.8.88 (140.221.8.88)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00:
Default; ECN: 0x00)
Total Length: 76
Identification: 0x129a (4762)
Flags: 0x00
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x45b3 (correct)
Source: 172.167.160.119 (172.167.160.119)
Destination: 140.221.8.88 (140.221.8.88)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp
(123)
Network Time Protocol
__________________________
Event logs on her system show these events corrosponding
to the times of the netscreen logs. (checked back 3 weeks
and they match)
____________________________
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 1/2/2004
Time: 11:36:29 AM
User: N/A
Computer: JANICE-XP
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA25-1.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---------------
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20159
Date: 1/2/2004
Time: 11:37:05 AM
User: N/A
Computer: JANICE-XP
Description:
The connection to The Internet (2) made by user User Name
using device IRDA25-1 was disconnected.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
_________________________________
The problem we're having is that we don't know what the
device is (looks like infrared port, but she doesn't have
one).
So my question is... How do I fix this?!
Any help would be greatly appreciated and you would be
thought of very highly. ;-)
in XP (fully updated and patched). The netscreen
firewall has been giving us these error messages at least
once a day...
_____________________________
Alarm Logs Reported From: ns5xp
Event Alarms:
1. 2004-01-06 9:01:25 system-alert-00008: IP Spoofing
has been detected! From 172.167.160.119/123 to
140.221.8.88/123, protocol UDP (i/f trust)
______________________________
So I put ethereal on a computer off of a SPAN port
(mirrored to the firewall port) on our switch and captured
packets to get the mac address. From there I used the XP
util "getmac" and queried around our network until I found
the culprit. (My boss's computer, no less!) This is the
packet log (mac addresses removed)
_________________________________
Frame 3010 (90 bytes on wire, 90 bytes captured)
Arrival Time: Jan 6, 2004 09:01:18.689111000
Time delta from previous packet: 0.000040000 seconds
Time since reference or first frame: 415.441838000
seconds
Frame Number: 3010
Packet Length: 90 bytes
Capture Length: 90 bytes
Ethernet II, Src: <mac> Dst: <mac>
Destination: <mac> (Netscree_21:30:b0)
Source: <mac> (Intel_ef:02:81)
Type: IP (0x0800)
Internet Protocol, Src Addr: 172.167.160.119
(172.167.160.119), Dst Addr: 140.221.8.88 (140.221.8.88)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00:
Default; ECN: 0x00)
Total Length: 76
Identification: 0x129a (4762)
Flags: 0x00
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x45b3 (correct)
Source: 172.167.160.119 (172.167.160.119)
Destination: 140.221.8.88 (140.221.8.88)
User Datagram Protocol, Src Port: ntp (123), Dst Port: ntp
(123)
Network Time Protocol
__________________________
Event logs on her system show these events corrosponding
to the times of the netscreen logs. (checked back 3 weeks
and they match)
____________________________
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20158
Date: 1/2/2004
Time: 11:36:29 AM
User: N/A
Computer: JANICE-XP
Description:
The user User Name successfully established a connection
to The Internet (2) using the device IRDA25-1.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
---------------
Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20159
Date: 1/2/2004
Time: 11:37:05 AM
User: N/A
Computer: JANICE-XP
Description:
The connection to The Internet (2) made by user User Name
using device IRDA25-1 was disconnected.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
_________________________________
The problem we're having is that we don't know what the
device is (looks like infrared port, but she doesn't have
one).
So my question is... How do I fix this?!
Any help would be greatly appreciated and you would be
thought of very highly. ;-)