Date: Fri, 17 Aug 2007 15:36:30 -0700 From: Chuck Swiger <cswiger@mac.com> To: Miguel <mmiranda@123.com.sv> Cc: freebsd-questions@freebsd.org Subject: Re: detect ip spoofing attack Message-ID: <7DD6F300-083D-412F-96F9-A3685711DBE3@mac.com> In-Reply-To: <46C621C0.40008@123.com.sv> References: <46C621C0.40008@123.com.sv>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 17, 2007, at 3:31 PM, Miguel wrote: > Hi, i tink im suffering an ip (or mac, im not sure) spoofing > attack, my internet link is at 90% and mostly outgoing traffic, im > using pf (for nat), so i run pftop and i see a lot of connections > from one specific ip address (192.168.206.68), but this address is > not assigned to any pc, and it doesnt respond ping either, nmap > doesnt report any open port . I see the translations and > stablished traffic in pftop and the traffic flow using tcpdump, how > can i know what computer is causing this traffic, looking for the > mac address in every pc should be the last alternative :-( Do you have a wireless basestation anywhere? Someone could be borrowing your bandwidth, otherwise, you've probably got a laptop or some hacked machine lying around, which appears to have an Intel NIC in it. :-) You could try firewalling off all traffic from IP 192.168.206.68 and see whether anyone complains. You could also try looking at switch statistics to locate which port the traffic is coming from, or run tcpdump on the IP and pull cables until you localize the machine. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7DD6F300-083D-412F-96F9-A3685711DBE3>