# what is spoof attack?



## fuzz (Jan 21, 2004)

I've recently set up a 802.11g network at my new home.  The unusual thing is that when I log into the router admin utility (this is a Dlink) and go to see the Status Log, i see some things I don't think i saw before.  ie, 

Jan/21/2004 12:15:53
Target IP(169.254.255.255), Target Port(137)
Packet Dropped

Jan/21/2004 12:15:53
Spoof IP(169.254.114.181), Spoof Port(60747)

Jan/21/2004 12:15:53
Spoof Attack fromd

Should I be concerned?


----------



## kalantna (Jan 22, 2004)

I just had someone partially explain this to me. From what I understand is that a "Spoof" attack is when someone out in "networkland" tries to steal a machines IP and/or Hardware address. I would think they do this so that they can perform illegal activities/hacking from a port that is not their own, hence making it mor difficult to track.

Do you have your wireless connection password protected?


----------



## fuzz (Jan 22, 2004)

yea, it's in 128 bit ... so should i not worry?


----------



## kalantna (Jan 22, 2004)

I think if you start to see problems then yes. If not then don't worry about it.


----------



## rbuenger (Jan 25, 2004)

This could also be a "simple" Idle-Scan against your router/ip.

There are lot's of people out there scanning the network for holes they can use. But most of these are just stupid kids and use simple scan's so that your router or IDS can determine from witch IP this scan originates.

But there are some people who know a bit more about scanning and sometimes use idle-scanning. I'm not descibing now how this works but important for you is that they can scan your host and also use a fake sender ip so that's it's impossible for you to trace him.

For a bit more security on your mac try the Hen-Wen program. It's a great GUI with the snort IDS included. And with adodb and acid and an apache2/php webserver on you mac you can get a wonderful NIDS with webstatistics and realtime alerts to anywhere you are.


----------



## michaelsanford (Jan 26, 2004)

A spoof attack may also be someone scanning your computer FROm a spoofed machine. That is, someone tries to scan you, but says they are from another machine than they actually are. Many network utilities (including nmap) allow you to do this.

(The former type of spoof attack explained by kalantna is indeed a type of spoof, but I don't think a D-Link log will report that type of attack, since it's very har to classify.)


----------



## michaelsanford (Jan 26, 2004)

PS long story short, don't be too concerned. I get the Ping of Death from some random person on the internet about every 20 minutes 

As long as your firewall is up, properly configured, and your network (D-Link router) administration configuration does NOT allow outside connections, you'll be fine.


----------



## rbuenger (Jan 26, 2004)

@michaelsanford:  A scan from a spoofed machine is called a Idle-Scan or Idlehost-Scan so you mean exactly the same I described 

But this kind of scan requires that the target you use to play the attacker has a predictable ID numbers for the IP packets in order to recognize if the target has replied to the spoofed scan on that port.

And if I would recognize such a scan here I would investigate what this was because in that kind of scan the target things that I was the attacker.

And just sending packets with a spoofed ip is useless because you never would get the answer.

More information about the Idle-Scan can be found here for those interested in the technical side:
http://www.insecure.org/nmap/idlescan.html


----------

