[anneaceae]

I found this in my D-Link wireless router log :

"Spoof Attack fromd MAC(00-08-74-E5-7A-39) Detect,

Target IP(206.46.xxx.xx), Target Port(110) Packet Dropped

Spoof IP(192.168.x.xxx), Spoof Port(2565)"

What is this all about? I don't recall ever seeing this in the log before. If it's some kind of hacker thing how do I stop it?

Fairly new to this wireless thing - so some info would be great!

thanks
anneaceae

[Advertisements]

What is this all about? I don't recall ever seeing this in the log before. If it's some kind of hacker thing how do I stop it?

Fairly new to this wireless thing - so some info would be great!

thanks
anneaceae

Hi anneaceae, welcome to Geeks to Go! Assuming the spoof attack was correctly identified by your D-Link (not alot to be gained by trying to get at port 110 via spoofing other than an attempt to get your email...even if sucessful, one would have to crack a username/password here to continue so it's possible that your D-Link has misidentifed the event), here is the Readers Digest condensed version: the 192.168.x.xxx address that you noticed is one of a small set of IP addys that are reserved for private internal use and as a result are not routable on the global Internet. Bottom line: you can't use one of these IP's to get anywhere on the 'net. However, if one can pretend to be one of these IP's, it's possible to gain access to an internal network. Hence the spoofing: looking like something they're not.

Most, if not all, routers/firewalls will detect this kind of behaviour since a private IP should NEVER be coming from the outside world to your network. Your D-Link is obviously capable of detecting this kind of probe, so you have nothing to worry about.

Hope this helps!
cya, SD

[SoccerDad]

What is this all about? I don't recall ever seeing this in the log before. If it's some kind of hacker thing how do I stop it?

Fairly new to this wireless thing - so some info would be great!

thanks
anneaceae

Hi anneaceae, welcome to Geeks to Go! Assuming the spoof attack was correctly identified by your D-Link (not alot to be gained by trying to get at port 110 via spoofing other than an attempt to get your email...even if sucessful, one would have to crack a username/password here to continue so it's possible that your D-Link has misidentifed the event), here is the Readers Digest condensed version: the 192.168.x.xxx address that you noticed is one of a small set of IP addys that are reserved for private internal use and as a result are not routable on the global Internet. Bottom line: you can't use one of these IP's to get anywhere on the 'net. However, if one can pretend to be one of these IP's, it's possible to gain access to an internal network. Hence the spoofing: looking like something they're not.

Most, if not all, routers/firewalls will detect this kind of behaviour since a private IP should NEVER be coming from the outside world to your network. Your D-Link is obviously capable of detecting this kind of probe, so you have nothing to worry about.

Hope this helps!
cya, SD

[anneaceae]

One or two more questions...

You said "Assuming the spoof attack was correctly identified", what else would cause the router to log a spoofing attack?

If someone on my private network was trying to access my email, like a nosey room mate trying to master his hacking skill, would that show up in the log?

Thanks
Anneaceae

[SoccerDad]

Hi anneaceae!

Routers, firewalls, and computers are really quite good at identifying events that happen on them, and accurating recording a log if configured to do so. Sometimes however, things get misidentified. Reasons for this are beyond the scope of this thread, but here is a general example to address the concept: SPAM filtering. A well configured SPAM filtering system will nail truckloads of SPAM coming thru a mail server, or arriving in a mail box. From time to time however, some SPAM will get thru as well as some legit messages getting marked as SPAM (false positive). Same type of thing with packet/data logging.

As for your second question: no, generally not. The mail server he/she is trying to get into would have lots of logs with incorrect user/pass combos, but getting your email from an outside server (port 110 if using POP3 which most home users do) would be considered legitimate traffic by your router.

Hope this helps!
cya, SD

[anneaceae]

That clears it all up for me! (At least on this topic)

Thanks again for your help!
Anneaceae