IP Spoof becoming anoying.
Hello,
We have a Sonicwall firewall after out T1 router to the Internet. Latetly I have been getting e-mails warnings from the firewal that says:
10/15/2003 12:22:36.624 -IP spoof detected - Source: 216.193.12.17, LAN-
Destination: 216.195.152.151, WAN -
What can I do to stop these from happening? if anything can be done.
In the las 1/2 hour I have received over 100 of these, it is out of hand.
Thank you for your help.
LuisP
We have a Sonicwall firewall after out T1 router to the Internet. Latetly I have been getting e-mails warnings from the firewal that says:
10/15/2003 12:22:36.624 -IP spoof detected - Source: 216.193.12.17, LAN-
Destination: 216.195.152.151, WAN -
What can I do to stop these from happening? if anything can be done.
In the las 1/2 hour I have received over 100 of these, it is out of hand.
Thank you for your help.
LuisP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All of our nodes are on the same LAN and Subnet, we use the private IP address of 192.168....., we are not using the IP addresses that I stated above:
10/15/2003 12:22:36.624 -IP spoof detected - Source: 216.193.12.17, LAN-
Destination: 216.195.152.151, WAN
Our Internet address is also on a different IP and Subnet 66.7........ So the addresses that the firewall is reporting are outside of our LAN and do not belong to our WAN IP addressing scheme.
There is no nodes between the firewall and the router.
LuisP
10/15/2003 12:22:36.624 -IP spoof detected - Source: 216.193.12.17, LAN-
Destination: 216.195.152.151, WAN
Our Internet address is also on a different IP and Subnet 66.7........ So the addresses that the firewall is reporting are outside of our LAN and do not belong to our WAN IP addressing scheme.
There is no nodes between the firewall and the router.
LuisP
That is the way it is SUPPOSED to be, but it may not ACTUALLY be that way. The alert message states that the source is coming from the LAN. My experience is that this alert message always turns out to be correct.
We have 30 locations, and the most common cause of this alert message is when an employee plugs a laptop in the network after it has already booted up. Before DHCP has a chance to do its magic, the SonicWALL detects an incorrect IP configuration and sends a single warning. In some cases, we have employees that have hard coded IP addresses in the network properties and the alert messages keep coming.
I encourage you to dig a little deeper and take a look at the nodes on your LAN.
Jeff
We have 30 locations, and the most common cause of this alert message is when an employee plugs a laptop in the network after it has already booted up. Before DHCP has a chance to do its magic, the SonicWALL detects an incorrect IP configuration and sends a single warning. In some cases, we have employees that have hard coded IP addresses in the network properties and the alert messages keep coming.
I encourage you to dig a little deeper and take a look at the nodes on your LAN.
Jeff
IT may also be that the user has a fixed IP-adress, incorrectly. A third option which I've seen is that the user have configured multiple IP adresses for one adapter; assuming you have DHCP on your LAN but he also routinley connects to another LAN (e.g. home) where he uses a static IP, he may configure the network card to use both. (This only applies to Win2K and WinXP, AFAIK).
To clarify when I say that you should put a machine "on the same network" above, you should put it on the same network a the rogue adress you're seeing, so they will be able to communicate.
To clarify when I say that you should put a machine "on the same network" above, you should put it on the same network a the rogue adress you're seeing, so they will be able to communicate.
ASKER
Thank you, and sorry for the delay.
LuisP
LuisP
* Ping it and check "arp -a" to ge the MAC adress. That would give you the model of network card and may be a hint to the machine
* Run nmap OS fingerpringing on it. This will give you the operating system.
* Run a port scanner (eg nmap) on it. This will give you what services are offered.
* If any of the previous (or just a guess) says it's a Win machine, run "nbtstat -A IP" to get info on it.
* If it displays services such as telnet, ftp, smtp or web (from port map above or just test), connect to those services and see what banners you get back. This may give you the OS or machine name.