From owner-freebsd-questions@FreeBSD.ORG  Fri Aug 17 22:22:49 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B6A7616A468
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Aug 2007 22:22:49 +0000 (UTC)
	(envelope-from mmiranda@123.com.sv)
Received: from asgard1.americatelsal.com (asgard.americatelsal.com
	[200.13.161.7])
	by mx1.freebsd.org (Postfix) with ESMTP id 2A3E013C4A3
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Aug 2007 22:22:48 +0000 (UTC)
	(envelope-from mmiranda@123.com.sv)
Received: (qmail 93566 invoked from network); 17 Aug 2007 22:21:05 -0000
Received: from unknown (HELO ?192.168.10.124?) (200.13.161.68)
	by asgard1.americatelsal.com with SMTP; 17 Aug 2007 22:21:05 -0000
Message-ID: <46C621C0.40008@123.com.sv>
Date: Fri, 17 Aug 2007 16:31:28 -0600
From: Miguel <mmiranda@123.com.sv>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: detect ip spoofing attack
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Aug 2007 22:22:49 -0000

Hi, i tink im suffering an ip (or mac, im not sure) spoofing attack, my 
internet link is at 90% and mostly outgoing traffic, im using pf (for 
nat), so i run pftop and i see a lot of connections  from one specific 
ip address (192.168.206.68), but this address is not assigned to any pc, 
and it doesnt respond ping either, nmap doesnt report any open port .
I see the translations and stablished traffic in pftop and the traffic 
flow using tcpdump, how can i know what computer is causing this 
traffic, looking for the mac address in every pc should be the last 
alternative  :-(

pftop:

tcp       In  192.168.206.68:1612              
201.212.189.217:22512            ESTABLISHED:ESTABLISHED  03:42:20  
20:22:46       24     7133
tcp       Out 192.168.206.68:1612              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  01:33:52  
22:30:49      280   230542
tcp       In  192.168.206.68:1612              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  01:33:52  
22:30:49      280   230542
tcp       In  192.168.206.68:1648              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  01:33:27  
22:28:25       29     6373
tcp       Out 192.168.206.68:1648              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  01:33:27  
22:28:25       29     6373
tcp       In  192.168.206.68:1652              
200.127.48.74:21549              ESTABLISHED:ESTABLISHED  01:33:22  
22:29:49       86    47436
tcp       Out 192.168.206.68:1652              
200.127.48.74:21549              ESTABLISHED:ESTABLISHED  01:33:22  
22:29:49       86    47436
tcp       Out 192.168.206.68:1689              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  04:28:05  
19:35:30      361   308847
tcp       In  192.168.206.68:1689              
217.216.58.247:8472              ESTABLISHED:ESTABLISHED  04:28:05  
19:35:30      361   308847
tcp       In  192.168.206.68:1724              
201.235.228.59:17870             ESTABLISHED:ESTABLISHED  03:40:39  
20:21:16       29     9110
tcp       Out 192.168.206.68:1724              
201.235.228.59:17870             ESTABLISHED:ESTABLISHED  03:40:39  
20:21:16       29     9110
tcp       Out 192.168.206.68:1803              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  02:39:41  
21:22:16       29     6394
tcp       In  192.168.206.68:1803              
24.232.133.100:45157             ESTABLISHED:ESTABLISHED  02:39:41  
21:22:16       29     6394
tcp       Out 192.168.206.68:1812              
201.231.105.85:11245             ESTABLISHED:ESTABLISHED  03:39:15  
20:22:11       29     6924
tcp       In  192.168.206.68:1812              
201.231.105.85:11245             ESTABLISHED:ESTABLISHED  03:39:15  
20:22:11       29     6924
tcp       Out 192.168.206.68:1835              
217.217.200.203:17061            ESTABLISHED:ESTABLISHED  02:39:14  
21:22:12       27     5520
tcp       In  192.168.206.68:1835              
217.217.200.203:17061            ESTABLISHED:ESTABLISHED  02:39:14  
21:22:12       27     5520
.......
hundred of additional lines.....

tcpdump:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
15:57:42.084566 IP 190-48-228-10.speedy.com.ar.17965 > 
192.168.206.68.2857: . ack 596211574 win 65535
15:57:42.168104 IP 118.Red-80-39-36.staticIP.rima-tde.net.36216 > 
192.168.206.68.2834: P 1891454167:1891455619(1452) ack 2551747276 win 64309
15:57:42.178015 IP 192.168.206.68.2834 > 
118.Red-80-39-36.staticIP.rima-tde.net.36216: . ack 1468 win 17424 
<nop,nop,sack 1 {2928:5848}>
15:57:42.195437 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: . 1:1461(1460) ack 0 win 17520
15:57:42.228560 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: P 1461:2921(1460) ack 0 win 17520
15:57:42.245113 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 2223585051:2223586503(1452) ack 
3314120697 win 17424
15:57:42.278376 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 1452:2904(1452) ack 1 win 17424
15:57:42.343667 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 2904:2920(16) ack 1 win 17424
15:57:42.352077 IP 192.168.206.68.2857 > 
190-48-228-10.speedy.com.ar.17965: P 2921:4381(1460) ack 0 win 17520
15:57:42.361303 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 2920:4372(1452) ack 1 win 17424
15:57:42.374727 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 4372:4380(8) ack 1 win 17424
15:57:42.478261 IP 84.122.171.232.dyn.user.ono.com.10397 > 
192.168.206.68.1914: . 1:1453(1452) ack 1452 win 11616
15:57:42.478275 IP 84.122.171.232.dyn.user.ono.com.10397 > 
192.168.206.68.1914: P 1453:1461(8) ack 1452 win 11616
15:57:42.481236 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . ack 1461 win 17424
15:57:42.482575 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 4380:5832(1452) ack 1461 win 17424
15:57:42.484578 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: . 5832:7284(1452) ack 1461 win 17424
15:57:42.484582 IP 192.168.206.68.1914 > 
84.122.171.232.dyn.user.ono.com.10397: P 7284:7300(16) ack 1461 win 17424
......
hundred of additional lines...


arp -a:

? (192.168.206.68) at 00:15:00:3d:fc:ea on fxp0 [ethernet]

ping:

proxy# ping 192.168.206.68
PING 192.168.206.68 (192.168.206.68): 56 data bytes
^C
--- 192.168.206.68 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss


nmap:

proxy# nmap -sS 192.168.206.68

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:01 CST
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)

Nmap finished: 1 IP address (1 host up) scanned in 35.725 seconds
proxy# nmap -O 192.168.206.68

Starting Nmap 4.20 ( http://insecure.org ) at 2007-08-17 16:03 CST
Warning:  OS detection for 192.168.206.68 will be MUCH less reliable 
because we did not find at least 1 open and 1 closed TCP port
All 1697 scanned ports on 192.168.206.68 are filtered
MAC Address: 00:15:00:3D:FC:EA (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at 
http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 36.794 seconds

thanks
---
miguel