[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3027
  • Last Modified:

IP SPOOFING showing up in Router/Firewall Logs...

We have a Sonicwall TZ170.  We were having problems with the unit prior to this so we had it replaced with a brand new unit.

The logs are still showing this one line and the whole router crashes once a day or once every 2 days. but the odd thing is prior to the sonicwall we had a cheap netgear router and never had a problem once.  This is the message we get.

12/01/2004 09:13:08.480 IP spoof dropped 192.168.0.160, 137, LAN 192.168.0.152, 137, OPT MAC address: 00.08.74.32.80.53

I read up on IP SPOOFing but what I don't get is that the IP addresses keep changing.  What causes this? Has anyone seen this before?

Our envoirnment is Static IP's on most of the clients (about 12-15), an ad server, and a exchange server.

Any ideas?
0
CTS123
Asked:
CTS123
  • 14
  • 6
1 Solution
 
FocusynCommented:
Is 192.168.x.x the range your network is actually using?  Port 137 is the NetBIOS port, and the MAC address is registered to Dell Computer Inc.  That makes it a little tricky since they barely manufacture anything network-wise.  My first guess is maybe it's one of the new "Dell" printers connected to the network?  Are you running a DHCP server anywhere on your network, and what is the normal range of IPs?

It sounds to me like there is a device, possibly an unauthorized one (which doesn't necessarily mean hacker), on your network in DHCP mode.  Rememebr there's a good chance it's not even a computer, but being as how it seems to be using DHCP and is hittingt NetBIOS, it would be something that's shared by network name.  Do you perchance have any Dell network printers, perhaps a router or managed switch, or ???
0
 
FocusynCommented:
Oh and also, is there a wireless access point in use?  One type of Network device, although not actually manufactured by Dell, that is Dell brand and very common is the TrueMobile series of wireless laptop cards...
0
 
FocusynCommented:
A little further searching indicates the MAC address is probably a built in NIC on a Dell Optiplex GX series.  I have located GX260's in my building with same MAC address range.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
CTS123Author Commented:
Only thing we have are Dell PC's. 3 of them GX60's slim towers.

Here's another spoof entry with a different IP

12/01/2004 09:46:36.400 IP spoof dropped 192.168.0.153, 137, LAN 192.168.0.102, 137, OPT MAC address: 00.04.75.DB.5F.7C

This machine is actually just a normal hand built PC and I know for a fact that that ip .153 is set for static.

Next I noticed that my Exchange server 192.168.0.206 came up in the log aswell.

This is happening quite often in the logs and it keeps randomizing. I ran virus scans all over and nothing shows up.
0
 
FocusynCommented:
I don't think it's a virus.  I didn't realize your MAC address was changing in the log entry as well as your IP.  When you say this machine is just a hand built etc.  - Do you mean the MAC address in the listing you just posted is an actual PC that yuo've located?
0
 
CTS123Author Commented:
yup, the second post I made with a different IP is RIGHT next to me. The desk next to me.  I manually assigned all my IP's so I can determine which machines are doing the "IP SPOOFING", and this machine isnt really doing anything.
0
 
FocusynCommented:
Just to be sure everything is in order here, what is the subnet mask you are using for clients?
0
 
FocusynCommented:
Did you compare the MAC address in the log though, to the MAC address of the NIC in the computer right next to you?  That's what's important here.  If there's an actual IP spoof attempt going on, the whole idea is that it's going to use an IP that exists on your network...
0
 
FocusynCommented:
Dude, never mind all that - go in your SonicWall and disable Rule 7
0
 
FocusynCommented:
Which, I believe in your model should be the "Disable Broadcast PAssthru from LAN to OPT" or may also be worded ""Windows Networking (NetBIOS) Broadcast PAss Through From LAN to OPT"  something along those lines.  May or may not actually be rule 7 depending on your firmware, but it is on a couple versions I was able to look at.  It defaults to pass NetBIOS stuff on 137 from the LAN to the OPT zone, which isn't supposed to happen and will get the errors you're getting.
0
 
FocusynCommented:
And FYI, the reason I asked about subnetting earlier was because improper subnetting will return same error in SonicWall.  It's a somewhat generic message, but I found in our SOnicWall docs that it's a common error, especially on your model, and is usually a LAN to OPT NetBIOS passthru thing, not an actual attack or pbroblem, just a routing misconfiguration which is apparently enabled by default.
0
 
CTS123Author Commented:
subnet is 255.255.255.0

another one came up.

12/01/2004 10:02:14.176 IP spoof dropped 192.168.0.206, 137, LAN 192.168.0.150, 137, OPT MAC address: 00.11.09.3D.88.50

192.168.0.206 is my exchange server and yes the mac address is 00.11.09.3D.88.50

the 192.168.0.206 is my exchange server, and the second ip in that log entry is just a USER 192.168.0.150.  I don't get it.

I am assuming this is whats causing my Sonicwall to crash but I've yet to really determine this.
0
 
FocusynCommented:
Try the rule thing... Let me know.
0
 
CTS123Author Commented:
Windows Networking (NetBIOS) Broadcast Pass Through

From Lan to Opt is Checked off
From LAN to WAN is NOT checked off.

Should I uncheck Lan to Opt?

Is that what you are suggesting?

Its happening every min in the logs.
0
 
CTS123Author Commented:
I turned it off and nothing is coming up now in the log. Now I just have to wait and see if it crashes again at all..
0
 
FocusynCommented:
Yes, LAN to OPT should be UNCHECKED
0
 
CTS123Author Commented:
SPOOFING in the logs are gone. but now do you think its possible that if this was coming up every min or so in the log it can cause a crash?
0
 
FocusynCommented:
I don't think it can/will cause a crash, but the big issue with this is that it makes your log files tedious and almost useless (not to mention huge), and even more inconvenient is that most security-minded system administrators use the email alert function, which would of course result in you getting alert emails once or twice a minute for eternity.  GEnerally, it's a bad idea to transmit NEtbIOS to the OPT zone anyway, since it leaves you more vulnerable to all kinds of exploits over WAN/Internet.  The only reason I know of that you would want to enable this feature is if you were using this firewall as a branch office gateway on a non-public hard-wired WAN so that you could use NetBIOS across multiple physical locations.
0
 
FocusynCommented:
Actually, regarding crash, it could be overloading your log file and crashing due to timeout in the write to log operation.
0
 
FocusynCommented:
Come to think of it, the transmitting to OPT results in the firewall attempting to re-assign WAN IP addresses to the packet headers, and I think that if you have not configured elsewhere in the system how to go about doing that (by configuring other network & routing options which you are not using), it kind of 'guesses' on the IP addresses, and it looks like form everything I've read, that the firewall is pulling LAN addresses and attempting to insert addresses in the range as WAN addresses in the packet headers.  At that point, I think you're going to end up with two problems -

1) I think it's assigning packets from one machine the actual IP address of other legit LAN machines thinking they are available WAN addresses for some reason - this is going to cause collision, registry confusion etc (and actually IS an IP spoof, just it's the SonicWall doing it) with data packets on your LAN (which can result in a confusion/overload crash)

2) It's seeing those addresses unavailable and trying other addresses in the subnet and node range, which may, when reflected back off the firewall, register as another workstation and get in to a scenario where you've exceeded your user license limit.  Basically, using OPT on LAN causes a bunch of IP confusion, and causes packets to come through from two different machines with same IP but different MAC in the header, which of course is what an IP Spoof actually does, and also, it is eventually going to confuse the heck out of your firewall and probably cause kernel panic!
0
 
litomdCommented:
Just an idea: disable and remove any network bridge or shared connection you may have (specially in Windows XP machines). Sometimes users create bridges accidentally or Windows xp can create them automatically. User may also share internet connections and that generates NAT configurations. In both cases you will end up with packages with a MAC not corresponding to the IP address.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 14
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now