Is somebody IP spoofing me? [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : Is somebody IP spoofing me?

Zilog B
06-09-01, 01:14 AM
I have a couple computers behind a netgear rt314 router, i am using zone alarm also on all puters. I have seen some activity in my cable modem when I am not using the computers or have an programs running. When I activate the internet lock on zone alarm here is the alert that I get.

The firewall has blocked a local network broadcast to your computer (Route) from 192.168.0.1 (Route).

Time: 6/9/01 12:09:40 AM


When I check the log file I see this corresponding entry:

FWIN,2001/06/09,00:09:41 -5:00 GMT,192.168.0.1:520,192.168.0.255:520,UDP

The thing is no computer on my network has the ip of 192.168.0.255 I know this for sure. Is somebody spoofing the ip address of their computer to access my Lan????

Schlurp
ColdFusion
06-09-01, 04:23 AM
That sounds about right. Some times "hackers" will monitor the sequience of tcp/ip packets. Its really very simple. They will then attempt to act as a computer on your network. When they acomplish this they can do whatever they want. I sugest u block that ip address, and check your logs again. This guy's ip address has to be somewhere b4 he tries to get onto your network.

Hope this helps
Matt
Dakota
06-09-01, 05:48 PM
I am pretty sure that's some internal communication from your router to your computer. I'm still new to this myself, but there is constant communications between your router and I am pretty sure that one's okay.

I'm surprised that this question hasn't garnered more attention by some of the more knowledgable peoples here that I am (also) learning from... (HINT! HINT!) ;)
Stef
06-09-01, 09:20 PM
Originally posted by schlurpee
The firewall has blocked a local network broadcast to your computer (Route) from 192.168.0.1 (Route).

Time: 6/9/01 12:09:40 AM


When I check the log file I see this corresponding entry:

FWIN,2001/06/09,00:09:41 -5:00 GMT,192.168.0.1:520,192.168.0.255:520,UDP


Sounds like your router was updating its tables, searching throught private class network numbers and looking for other routers.

It first attempted to create a session with the default route. Then sent a broadcast message in order to address the entire network and look for other routes.

Of course, this could be a clever way to determine how many host are up and behind your router. Most port scanners use other methods through :D

Stef
Dakota
06-10-01, 10:11 AM
Thanks, Ken. That's what I thought was going on. ;)