Jump to content



Photo

True IP spoofing or not?


  • Please log in to reply
10 replies to this topic

#1 pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 February 2013 - 12:06

Hello

Every less than a minute or so, I am getting this in my Firewall log page:

From: 192.168.1.1 To: 224.0.0.1 attack block
IGMP src port:00000 dest pot:00000 ip spoofing

Is this really true? Is it something I should look at? My network is 192.168.100.x

Thank you


#2 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 February 2013 - 12:11

I am seeing it is a multicast address....The thing is I do not have any 192.168.1.1 on the network.

#3 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 14
  • Joined: 28-June 04
  • Location: Switzerland

Posted 26 February 2013 - 12:11

Those 224.0.0.xxx addresses are part of the Cicso IOS(router and switch operating system). It is part of the new IGMPv2 standard and is used by Linksys routers also, as they are owned by Cisco. I don't know whether other brands use it or not. I'm guessing they do as it is a standard. They are for intranetwork communication. Here is a webpage that sheds some light on how it operates:

http://www.cisco.com...0800a3e2b.shtml

jasper

Source. I couldn't tell you if that's true or not, though.

#4 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 February 2013 - 12:14

Source. I couldn't tell you if that's true or not, though.

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

#5 Nick H.

Nick H.

    Neowinian Senior

  • Tech Issues Solved: 14
  • Joined: 28-June 04
  • Location: Switzerland

Posted 26 February 2013 - 12:16

The thing is, how is it coming from a 192.168.1.1 address?

Does this mean there is a 192.168.1.1 on my LAN network.....or is it possible it is from somewhere else outside my LAN?

The thing is I think it eventually blocks my router, turns off internet access, and I have to restart my router to get back internet...

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

#6 OP pes2013

pes2013

    Neowinian

  • Joined: 24-September 12

Posted 26 February 2013 - 12:19

192.168.1.1 is an internal IP address. If you haven't set up your network in any special way, then 192.168.1.1 would more than likely be the IP address of your router.

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.

#7 ingramator

ingramator

    Hacker

  • Joined: 04-July 12
  • OS: Windows 7/8, OSX 10.8, Linux/UNIX/BSD
  • Phone: Lumia 920, iPhone 5, GS3

Posted 26 February 2013 - 12:31

That's the thing: My router's IP is NOT 192.168.1.1 We don't have a 192.168.1.1 in the network as all the network is 192.168.100.x That is what puzzles me and worries me.


Download and run this, http://www.nirsoft.n...stresolver.html, and see if 192.168.1.1 is alive and then read the hostname. Also try navigating to that IP in your browser and see if it brings up the router page, sometimes it will be accessible on many addresses! Don't fret mate, it's only local traffic here so (hopefully) nothing malicious (of any great concern) is happening.

#8 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 92
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 26 February 2013 - 12:40

Where are you seeing this?? On your machine, or on your router firewall?

As stated its multicast - be it outside your network or inside your network, its quite possible there is a 192.168.1.1 device - this is a common IP for many devices.

That info given is pretty useless - if on your machine can you sniff the traffic, and then we could hope to get the mac address. From the mac address we should be able to get the maker of the nic the packet is coming from.. So we would know if say its linksys or netgear, etc.

This might give you a clue to what its coming from if inside your network. If outside your network, its typical internet noise - why are you logging it?

#9 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 4
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 26 February 2013 - 14:00

It just sounds like a misconfigured device is trying to send multicast data (I'd say somebody has plugged in a router or modem, 192.168.1.1 is a common default IP for these devices)

#10 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 26 February 2013 - 21:00

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.

#11 ingramator

ingramator

    Hacker

  • Joined: 04-July 12
  • OS: Windows 7/8, OSX 10.8, Linux/UNIX/BSD
  • Phone: Lumia 920, iPhone 5, GS3

Posted 27 February 2013 - 06:42

It sounds like a Bonjour kind of Device, Airprint, Wireless Printers etc. They have been driving me crazy the past few days. Trying to get a HP Wireless printer working on a Cisco Access Point! Can I hell as get it working. Logged a TAC Case with Cisco. But we see the same traffic when Multicast devices are connected to the network such as those I have listed.


Hey mate what's wrong with the HP printer? Can you get a ping back?