Sign in to follow this  
Followers 0

True IP spoofing or not?

11 posts in this topic

Posted

Hello

Every less than a minute or so, I am getting this in my Firewall log page:

From: 192.168.1.1 To: 224.0.0.1 attack block

IGMP src port:00000 dest pot:00000 ip spoofing

Is this really true? Is it something I should look at? My network is 192.168.100.x

Thank you

Share this post


Link to post
Share on other sites

Posted

I am seeing it is a multicast address....The thing is I do not have any 192.168.1.1 on the network.

Share this post


Link to post
Share on other sites

Posted

Those 224.0.0.xxx addresses are part of the Cicso IOS(router and switch operating system). It is part of the new IGMPv2 standard and is used by Linksys routers also, as they are owned by Cisco. I don't know whether other brands use it or not. I'm guessing they do as it is a standard. They are for intranetwork communication. Here is a webpage that sheds some light on how it operates:

http://www.cisco.com/en/US/tech/tk828/technologies_white_paper09186a00800a3e2b.shtml

jasper

Source. I couldn't tell you if that's true or not, though.

Share this post


Link to post
Share on other sites

Posted

Source. I couldn't tell you if that's true or not, though.

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

Share this post


Link to post
Share on other sites

Posted

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

Share this post


Link to post
Share on other sites

Posted

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.

Share this post


Link to post
Share on other sites

Posted

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.

Download and run this, http://www.nirsoft.net/utils/fastresolver.html, and see if 192.168.1.1 is alive and then read the hostname. Also try navigating to that IP in your browser and see if it brings up the router page, sometimes it will be accessible on many addresses! Don't fret mate, it's only local traffic here so (hopefully) nothing malicious (of any great concern) is happening.

Share this post


Link to post
Share on other sites

Posted

Where are you seeing this?? On your machine, or on your router firewall?

As stated its multicast - be it outside your network or inside your network, its quite possible there is a 192.168.1.1 device - this is a common IP for many devices.

That info given is pretty useless - if on your machine can you sniff the traffic, and then we could hope to get the mac address. From the mac address we should be able to get the maker of the nic the packet is coming from.. So we would know if say its linksys or netgear, etc.

This might give you a clue to what its coming from if inside your network. If outside your network, its typical internet noise - why are you logging it?

Share this post


Link to post
Share on other sites

Posted

It just sounds like a misconfigured device is trying to send multicast data (I'd say somebody has plugged in a router or modem, 192.168.1.1 is a common default IP for these devices)

Share this post


Link to post
Share on other sites

Posted

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.

Share this post


Link to post
Share on other sites

Posted

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.

Hey mate what's wrong with the HP printer? Can you get a ping back?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.