Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Aug 2007 16:31:28 -0600
From:      Miguel <mmiranda@123.com.sv>
To:        freebsd-questions@freebsd.org
Subject:   detect ip spoofing attack
Message-ID:  <46C621C0.40008@123.com.sv>

next in thread | raw e-mail | index | archive | help
Hi, i tink im suffering an ip (or mac, im not sure) spoofing attack, my 
internet link is at 90% and mostly outgoing traffic, im using pf (for 
nat), so i run pftop and i see a lot of connections  from one specific 
ip address (192.168.206.68), but this address is not assigned to any pc, 
and it doesnt respond ping either, nmap doesnt report any open port .
I see the translations and stablished traffic in pftop and the traffic 
flow using tcpdump, how can i know what computer is causing this 
traffic, looking for the mac address in every pc should be the last 
alternative  :-(

pftop:

tcp       In  192.168.206.68:1612              
201.212.189.217:22512            ESTABLISHED:ESTABLISHED  03:42:20  
20:22:46       24     7133
tcp       Out 192.168.206.68:1612              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  01:33:52  
22:30:49      280   230542
tcp       In  192.168.206.68:1612              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  01:33:52  
22:30:49      280   230542
tcp       In  192.168.206.68:1648              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  01:33:27  
22:28:25       29     6373
tcp       Out 192.168.206.68:1648              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  01:33:27  
22:28:25       29     6373
tcp       In  192.168.206.68:1652              
200.127.48.74:21549              ESTABLISHED:ESTABLISHED  01:33:22  
22:29:49       86    47436
tcp       Out 192.168.206.68:1652              
200.127.48.74:21549              ESTABLISHED:ESTABLISHED  01:33:22  
22:29:49       86    47436
tcp       Out 192.168.206.68:1689              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  04:28:05  
19:35:30      361   308847
tcp       In  192.168.206.68:1689              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  04:28:05  
19:35:30      361   308847
tcp       In  192.168.206.68:1724              
201.235.228.59:17870             ESTABLISHED:ESTABLISHED  03:40:39  
20:21:16       29     9110
tcp       Out 192.168.206.68:1724              
201.235.228.59:17870             ESTABLISHED:ESTABLISHED  03:40:39  
20:21:16       29     9110
tcp       Out 192.168.206.68:1803              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  02:39:41  
21:22:16       29     6394
tcp       In  192.168.206.68:1803              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  02:39:41  
21:22:16       29     6394
tcp       Out 192.168.206.68:1812              
201.231.105.85:11245             ESTABLISHED:ESTABLISHED  03:39:15  
20:22:11       29     6924
tcp       In  192.168.206.68:1812              
201.231.105.85:11245             ESTABLISHED:ESTABLISHED  03:39:15  
20:22:11       29     6924
tcp       Out 192.168.206.68:1835              
217.217.200.203:17061            ESTABLISHED:ESTABLISHED  02:39:14  
21:22:12       27     5520
tcp       In  192.168.206.68:1835              
217.217.200.203:17061            ESTABLISHED:ESTABLISHED  02:39:14  
21:22:12       27     5520
.......
hundred of additional lines.....

tcpdump:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:42.084566 IP 190-48-228-10.speedy.com.ar.17965 > 
192.168.206.68.2857: . ack 596211574 win 65535
15:57:42.168104 IP 118.Red-80-39-36.staticIP.rima-tde.net.36216 > 
192.168.206.68.2834: P 1891454167:1891455619(1452) ack 2551747276 win 64309
15:57:42.178015 IP 192.168.206.68.2834 > 
118.Red-80-39-36.staticIP.rima-tde.net.36216: . ack 1468 win 17424 
<nop,nop,sack 1 {2928:5848}>
15:57:42.195437 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: . 1:1461(1460) ack 0 win 17520
15:57:42.228560 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: P 1461:2921(1460) ack 0 win 17520
15:57:42.245113 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 2223585051:2223586503(1452) ack 
3314120697 win 17424
15:57:42.278376 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 1452:2904(1452) ack 1 win 17424
15:57:42.343667 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 2904:2920(16) ack 1 win 17424
15:57:42.352077 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: P 2921:4381(1460) ack 0 win 17520
15:57:42.361303 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 2920:4372(1452) ack 1 win 17424
15:57:42.374727 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 4372:4380(8) ack 1 win 17424
15:57:42.478261 IP 84.122.171.232.dyn.user.ono.com.10397 > 
192.168.206.68.1914: . 1:1453(1452) ack 1452 win 11616
15:57:42.478275 IP 84.122.171.232.dyn.user.ono.com.10397 > 
192.168.206.68.1914: P 1453:1461(8) ack 1452 win 11616
15:57:42.481236 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . ack 1461 win 17424
15:57:42.482575 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 4380:5832(1452) ack 1461 win 17424
15:57:42.484578 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 5832:7284(1452) ack 1461 win 17424
15:57:42.484582 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 7284:7300(16) ack 1461 win 17424
......
hundred of additional lines...


arp -a:

? (192.168.206.68) at 00:15:00:3d:fc:ea on fxp0 [ethernet]

ping:

proxy# ping 192.168.206.68
PING 192.168.206.68 (192.168.206.68): 56 data bytes
^C
--- 192.168.206.68 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss


nmap:

proxy# nmap -sS 192.168.206.68

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:01 CST
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)

Nmap finished: 1 IP address (1 host up) scanned in 35.725 seconds
proxy# nmap -O 192.168.206.68

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:03 CST
Warning:  OS detection for 192.168.206.68 will be MUCH less reliable 
because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 36.794 seconds

thanks
---
miguel



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46C621C0.40008>