dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
771
share rss forum feed

hardstyler

join:2013-02-17
italy

1 edit

USG 100 MAC SPOOFING ATTEMPTS FROM THE ENTIRE WORLD???

Hi all!

I have a modem netgear dgn2200 connected to the isp that gives dynamic ip. To the modem is connected the zyxel USG 100 and connected to the dmz port is a nas qnap ts 121, now is connected there, before was in the lan 1 port with no static ip/mac bindings.

All IPs are STATIC and all have the static MAC address, in the zyxel and also in the netgear.

Downloading torrents for less then 2 hours makes the zyxel say all the time logs as this:

2013-07-09 20:05:56 - IP OF THE ATTACKER 192.168.0.2 (wan1 port of the zyxel)
info ipmac-binding DROP PACKET
Drop packet wan1-IP OF THE ATTACKER-MAC address of the wan 1 port on the zyxel where is connected to the netgear.

No problem with too many logs, I choosed to see them, but it is really possible MAC spoofing attacs from every country in the world?

I'm downloading torrents that come from 2 o 3 countries, happy to download with a nas qnap ts 121 that is connected to the dmz of the zyxel!!!! (also with static ip/mac binding!)

Is it really possible??? I set IP/MAC static bindings cause after the first time it downloaded a torrent I noticed a log that says the wan 1 port MAC address of the zyxel was changed with the mac of the lan 1 (where in that moment the nas was connected, only after this log I connected it to the dmz)! An example to explain clearly:

-wan1 mac was: 11:11:11:11:11:11
-lan 1 mac was: 22:22:22:22:22:22

then arrives the log that alerts me that the wan1 mac was changed to 22:22:22:22:22:22 and yes I checked where the 11:11:11:11:11:11 mac gone: to the lan 1 where was connected the nas!!!

So, after that alert I set static IP/MAC and I have not changed the changed (by who?) wan 1 MAC and so LAN 1 MAC.

I have that nas for 7 days and it is correctly configured and work well! also the zyxel and netgear!

It is a security risk to keep the MACs inverted? the zyxel has a range of macs, one for every port so, unless static ip/mac bindings, it could change them with no problem and it will not be security risk but in this case?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:10
Reviews:
·TekSavvy DSL
·Bell Fibe
3 things
1) disable IP/MAC binding, for static IP you only need DHCP reservation
2) get rid of the double NAT as already mentioned here »set a web+ftp home server with netgear dgn2200 and USG 100
3) next time you post use real logs and real MAC & IP addresses. Preferably add some packet captures to see what's really going on

That said, if you do 1) and mainly 2) you should see most of your problems going away.

hardstyler

join:2013-02-17
italy
ok, at the moment this case is not related to my previous topic so I think at the moment I must disable only ip/mac binding, is correct? and deactivating it in zyxel the security will granted?

hardstyler

join:2013-02-17
italy

1 edit
HERE SOME REAL EXAMPLES: and there are too many to list others!!!

25 2013-07-11 19:28:03 31.146.93.62 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-31.146.93.62-E0:91:F5:F9:6D:6C

24 2013-07-11 19:27:50 180.180.140.16 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-180.180.140.16-E0:91:F5:F9:6D:6C

22 2013-07-11 19:24:57 37.201.90.65 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-37.201.90.65-E0:91:F5:F9:6D:6C

29 2013-07-11 19:30:09 46.72.78.7 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-46.72.78.7-E0:91:F5:F9:6D:6C

33 2013-07-11 19:40:59 84.240.238.135 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-84.240.238.135-E0:91:F5:F9:6D:6C

34 2013-07-11 19:42:08 178.212.103.44 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-178.212.103.44-E0:91:F5:F9:6D:6C

36 2013-07-11 19:43:38 82.112.46.234 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-82.112.46.234-E0:91:F5:F9:6D:6C

What do you think?

If Germany and France could be for me ok, really not Russia, Kazhakistan (!!!!), Ukraina (!!!!), Brazil (!!!!), Georgia....etc...

but this are exceptions so OVH is ok cause I'm downloading from a hoster that has servers in France, here some:

19 2013-07-11 21:42:51 178.33.63.163 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-178.33.63.163-E0:91:F5:F9:6D:6C [count=50]
20 2013-07-11 21:42:51 188.165.12.68 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-188.165.12.68-E0:91:F5:F9:6D:6C [count=58]
21 2013-07-11 21:42:51 188.165.12.97 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-188.165.12.97-E0:91:F5:F9:6D:6C [count=45]
22 2013-07-11 21:42:51 178.33.63.113 192.168.0.2
info ipmac-binding DROP PACKET
Drop packet wan1-178.33.63.113-E0:91:F5:F9:6D:6C [count=40]

so for sure I need to deactivate IP/MAC BINDING so I must accept less security?