From owner-freebsd-questions@FreeBSD.ORG Fri Aug 17 22:36:32 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2562116A418 for ; Fri, 17 Aug 2007 22:36:32 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 0C37613C48E for ; Fri, 17 Aug 2007 22:36:32 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay5.apple.com (relay5.apple.com [17.128.113.35]) by mail-out3.apple.com (Postfix) with ESMTP id EF708EC7BDF; Fri, 17 Aug 2007 15:36:31 -0700 (PDT) Received: from relay5.apple.com (unknown [127.0.0.1]) by relay5.apple.com (Symantec Mail Security) with ESMTP id D79E729C008; Fri, 17 Aug 2007 15:36:31 -0700 (PDT) X-AuditID: 11807123-a6246bb000007d99-7a-46c622effe75 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay5.apple.com (Apple SCV relay) with ESMTP id BE65330400B; Fri, 17 Aug 2007 15:36:31 -0700 (PDT) In-Reply-To: <46C621C0.40008@123.com.sv> References: <46C621C0.40008@123.com.sv> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <7DD6F300-083D-412F-96F9-A3685711DBE3@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Fri, 17 Aug 2007 15:36:30 -0700 To: Miguel X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-questions@freebsd.org Subject: Re: detect ip spoofing attack X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2007 22:36:32 -0000 On Aug 17, 2007, at 3:31 PM, Miguel wrote: > Hi, i tink im suffering an ip (or mac, im not sure) spoofing > attack, my internet link is at 90% and mostly outgoing traffic, im > using pf (for nat), so i run pftop and i see a lot of connections > from one specific ip address (192.168.206.68), but this address is > not assigned to any pc, and it doesnt respond ping either, nmap > doesnt report any open port . I see the translations and > stablished traffic in pftop and the traffic flow using tcpdump, how > can i know what computer is causing this traffic, looking for the > mac address in every pc should be the last alternative :-( Do you have a wireless basestation anywhere? Someone could be borrowing your bandwidth, otherwise, you've probably got a laptop or some hacked machine lying around, which appears to have an Intel NIC in it. :-) You could try firewalling off all traffic from IP 192.168.206.68 and see whether anyone complains. You could also try looking at switch statistics to locate which port the traffic is coming from, or run tcpdump on the IP and pull cables until you localize the machine. -- -Chuck