dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5218
share rss forum feed

passedout

join:2012-11-26

IP spoofing

Hi everyone,

I wonder if any of you can help me. I've just installed a belkin 150N in my office and I keep getting dozens of entries a day in the firewall log:

Ip Spoofing from IP 10.83.40.20 to IP 204.145.91.18 dropped
Ip Spoofing from IP 10.83.40.20 to IP 67.195.186.241 dropped
Ip Spoofing from IP 10.83.40.20 to IP 98.136.48.32 dropped (1 times)
Ip Spoofing from IP 10.82.0.72 to IP 111.111.111.111 dropped (2 times)

Is it somebody trying to get into the router? The thing is none of the IP addresses showing above are nowhere near the router's IP address so I don't understand what they are. The traffic is defenitely coming either from the a different office in the building or from the internet out there and not from my network.
Can eventually get in? Please help

Also in the system log of my LAN I get this strange entry now and then:

join multicast group 224.0.0.221

Tha'ts none of us here! Who's it? Any idea anyone?

Thanks a lot in advance.

tdumaine
Premium
join:2004-03-14
Seattle, WA
Cant tell you on the first part (spoofing) but the multicast is normal

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
OriginAS:
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
RegDate: 1991-05-22
Updated: 2002-09-16
Ref: »whois.arin.net/rest/net/NET-224-0-0-0-1

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 12025 Waterfront Drive
Address: Suite 300
City: Los Angeles
StateProv: CA
PostalCode: 90292
Country: US
RegDate:
Updated: 2012-08-31
Ref: »whois.arin.net/rest/org/IANA


nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
kudos:7
Reviews:
·AT&T U-Verse
reply to passedout
The chances are that everything is fine, except that your router logs are at a paranoid level.

There is possibly somebody in your office with a laptop or mobile device that uses a 10.83.*.* ip address on their home network, and their device has not noticed that it has been moved to a different network where that address is inappropriate.

The router is dropping the packets. Nothing more is needed. There's no reason to panic.
--
AT&T Uverse; Zyxel NBG334W router (behind the 2wire gateway); openSuSE 12.2; firefox 16.0.2

passedout

join:2012-11-26
Hi tdumaine and nwrickert,

Much appreciate your reply.

Sorry tdumaine and excuse my ignorance but I can't make much out of your post. Are you trying to say the Join Multicast Group it's a normal and innocuous activity from the main server entering my LAN? And for what reason would that be? Any idea? I though a firewall would keep virtually everything out!

Nwrickert what you say is kinda comforting but the reason why I'm "panicking" is because the router I fitted last week only lasted 4 or 5 days and somehow in a matter of 2 days, "died out" under mysterious circumstances. Never seen anything like that and we suspect it was targeted by somebody within the network (outside my LAN of course) but within the building. Now that very router can't be reset from the outside and can't be accessed via any browser so it's practically useless.

I'm aware that all routers have been purposely built with back doors for the police to get in but I wasn't aware that, with some effort, some of them can be "killed" that easily. That was a 2 or 3 years old Belkin N150 by the way.
Hope I'm wrong but I can't see any other explanation for its premature "death".

Are there other precautions I can take to prevent future attacks to this newly fitted router?

Thanks again folks

HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to passedout
So if your internal network is not using the 10.x.x.x range, and those 10.83.x.x IP addresses are registering
as coming from the belkin's WAN interface, the spoof message makes perfect sense -- see Wiki here.

If 10.83.x.x is coming from the LAN interface, I'd say someone's on your internal network and messing around
with something.

As for multicast, look here for a definition. Basically,
a host on your network is looking to "join a group" for a shared stream of data. Whether it's legit or not
basically needs someone versed in network operation and figuring out who joined and what they are doing.

said by passedout:

Are there other precautions I can take to prevent future attacks to this newly fitted router?

- strong passwords

- do not use the default passwords

- disable unneeded services

- disable remote access if not needed

- enable logging

- if there's wireless, ensure it is using the strongest possible encryption and a strong password

- change passwords on a regular basis

- know what is plugged into your router -- it really sucks to trace out a cable and find out some jack-twat
ran their own line to another unauthorized device(s) without your knowledge and borked the whole thing.

- PHYSICAL SECURITY -- if no one else is supposed to access / manage this device, lock it in a room!

My 00000010bits

Regards

passedout

join:2012-11-26
Thanks very much for your reply HELLFIRE much appreciate it. That did clear one or two points.

Thanks again


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter

1 recommendation

reply to passedout
The 10.x.x.x address are private address
»en.wikipedia.org/wiki/Private_network

So there are not routeable, that means they can not be passed through NAT or routers or over the internet. So they have to be trying to connect direct to your LAN side of the router.
Check your router logs for "Login Successfully" messages.

Here is some info on Spoofing
»www.cisco.com/web/about/ac123/ac···ing.html


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

1 recommendation

said by mmainprize:

The 10.x.x.x address are private address ...
So there are not routeable, that means they can not be passed through NAT or routers or over the internet.

Just to nitpick a little that is not precisely correct.

RFC-1918 private IP addresses are guaranteed not to be assigned to an Internet host and can be used and reused multiple times. There is nothing that prevents them from being routed from one network to another.

NAT will cheerfully translate one set of private addresses used on the LAN to another on the WAN.

1) It is not uncommon for ISPs to use private IP addresses for some of their internal routers. In that case since residential customers typically have a bridged rather then routed connection the customer is on the ISPs LAN. This is a controversial practice and discouraged but not prohibited.

»tools.ietf.org/html/rfc6752

2) There are also some ISPs that give customers private IP addresses rather then public. This is not all that common in the US but occurs internationally due to the IPv4 address shortage.

3) You can prove this to yourself by putting another NAT router on your LAN. Devices behind this router will work just fine.

What should happen is ISP routing should refused to route these addresses, or APIPA for that matter if they are not used internally by the ISP and occur off network (i.e. originate from the Internet).

And now back to our regularity scheduled program

/tom


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
said by tschmidt:

said by mmainprize:

The 10.x.x.x address are private address ...
So there are not routeable, that means they can not be passed through NAT or routers or over the internet.

Just to nitpick a little that is not precisely correct.

/tom

I agree, i should of said Not Routeable onto the internet.

That is what NAT does is change the request from the Lan (private address, non internet routeable) to the Wan (Internet Address, internet routable)


mmainprize

join:2001-12-06
Houghton Lake, MI
Reviews:
·Charter
reply to tschmidt
said by tschmidt:

said by mmainprize:

The 10.x.x.x address are private address ...
So there are not routeable, that means they can not be passed through NAT or routers or over the internet.

Just to nitpick a little that is not precisely correct.

/tom

I agree, i should of said Not Routeable onto the internet.

That is what NAT does is change the request from the Lan (private address, non internet routeable) to the Wan (Internet Address, internet routeable)


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 recommendation

said by mmainprize:

That is what NAT does is change the request from the Lan (private address, non internet routeable) to the Wan (Internet Address, internet routeable)

For years I ran a NAT router which had a private IP address on the WAN port. NAT changes between IPv4 on the WAN and IPv4 on the LAN. It doesn't know private from public.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum