Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sonicwall & IP Spoofing problem

Status
Not open for further replies.
awardb

awardb

Technical User
Sep 2, 2002
7
0
0
US
I have two SonicWall Soho 3's installed at 2 homes in the same geographical area. Both are on the same broadband provider system. About 4 weeks ago, I started receiving email alerts from the SonicWall, from BOTH firewalls. Here is an example:
08/21/2003 15:21:56.912 - IP spoof detected - Source:172.172.31.211, LAN - Destination:172.174.244.26, WAN - MAC address: 00.20.35.83.07.22 -
It appears to me that the computer(s) on the local LAN are up to something, but I'm not sure what. On the one installation, I have 3 computers behind the SonicWall, and I have rec'd emails showing the same IP Spoofing problem coming from all three hardware MAC addresses.
I have no idea what's going on. Any suggestions?
 
Sort by date Sort by votes
Hi mate,
The first thing I would do is run Spybot (available from security.kolla.de) after updating it, on each machine at both sites. It might be that while browsing, the client PCs have picked up some nasty spyware.

Another idea is to look for peer-to-peer file sharing software. Some of it, like Kazaa media desktop (as opposed to Kazaa Lite) is full of crap and can do weird things to a network.

I also have a business client setup on the same ISP with two sonicwalls running a VPN. Every time one gets an alert (port scan, etc), the other appears to get it also. It is almost like the sonicwalls are bouncing the messages between each other.

This destination address appears to be on AOL. Perhaps they are using an AOL Client?

Good luck

Gavin
 
Upvote 0 Downvote
Thanks!

Forgot to mention that I already updated and ran Spybot S&D (though I notice that *today* they came out with new includes, and the number of files it's looking for jumped by almost a thousand. I'll have to go back over there and run it again. But anyway, nothing found on the first look a week ago. They used to have Kazaa, I removed it and replaced with KazaaLite.

Even though they use RoadRunner, they also have AOL installed on all 3 machines, now you have me wondering whether this could be due to the fact that I believe they updated all 3 computers to AOL 9.0, probably at about the same time this began happening...hmmmmmmm!!

 
Upvote 0 Downvote
Hi mate,

I got this idea from this post on another forum:


Perhaps AOL is the culprit?

I have found AOL to do weird things with respect of VPN Clients also. The Sonicwall VPN client appears incapable of working via AOL, whether this is because they filter IPSec or whatever I have no idea.

Gavin
 
Upvote 0 Downvote
You could well be seeing Welchia or other virus activity from outside of your network.

Many of the W32.x email worms use IP spoofing. If someone with the infection happened to have someone in your network segment's address in Outlook, Outlook Express, or an IM client, they may well "adopt" it for IP Spoofing.
 
Upvote 0 Downvote
Many thanks to thegavster and bcastner. I am actually suspecting that it's the AOL thing at this point, since both of my clients use AOL. I may have one of the households not use AOL for, say, 24 hours, and see if the IP spoof messages stop, as I suspect that they will.

 
Upvote 0 Downvote
Further info: While I have not physically made it back over to the physical location of the 2 different SonicWall's that are sending me these IP Spoof reports from the internal network, I did find this link. It pretty definitively points out that the AOL software creates a "virtual" hardware device, which has it's own IP address, in AOL's range of addresses. To see what the author is talking about, expand the thread to read the whole thing. I plan on visiting each site, and changing the settings on the SonicWall(s) so that they won't send me any email alerts when this occurs (as in 40-50 times a day!) Hope this helps somebody.... :))


AwardB
 
Upvote 0 Downvote
This is driving me nutty, too. We're getting lots and lots of spoof alerts from the new AOL client on users pc's. Does anyone know how to exclude the alerts or fix it?
Thanks!
Steve
[bigears]
 
Upvote 0 Downvote
Well, I just logged into my own SonicWall, and I sure don't see anywhere to turn off alerts in the log for *that* specific problem. In fact, I don't see any of the check boxes that would keep an alert from going out regarding IP Spoofing. So it is apparent to me that the SonicWall notices that this is a problem, but there is no way to change settings so that it doesn't notify you....
They need to fix this....

AwardB
 
Upvote 0 Downvote
Well after some investigation of my site that had this problem, it turned out to be an old Mac they use occassionally to refer to old documents. No wonder I couldn't match the MAC (no pun intended) address with any of the PCs on the network!
The simplest solution will probably be to unplug the Mac from the network, but then again I might have to try and fix it....
Either way, I agree with Awardb, if anyone at Sonicwall is listening, can you have a chat with the folks from AOL and tell them their new client software sucks and it causes this spoofing problem.
Slightly OT:
We recently had a problem with a SonicWall VPN client on a notebook that was trying to connect from the USA, and it just wouldn't work. Uninstalling the AOL client and replacing it with GRIC fixed the problem. AOL were either filtering the traffic or the AOL client was playing funny buggers. The guy from SonicWall support just laughed when we suggested we were trying to use AOL and the Sonicwall VPN client....
 
Upvote 0 Downvote
Excellent thread! I have the same setup on my network, SOHO 3 with an AOL 9.0 client. I had tracked the MAC address with Advanced Administrator Tools to that PC. At first I was wondering how on earth did I get a virus such as a Welchia through my Antivirus server that scans all incoming email. Reguardless, I totally reinstalled the OS (format and all) and as soon as I reinstalled the AOL client, sure enough, IP spoof alerts. At first glance it appears to be a non-routable IP address. But it does resolve to an AOL owned subnet. So there you have it. AOL's client loads our alert logs with IP spoof messages and as of now, there's nothing we can do about it.
 
Upvote 0 Downvote
I just spent a few hours chasing this down today. Getting loads of IP Spoof alerts from 2 different Sonicwall machines. Totally different firmware versions.

DEFINITELY an AOL problem. Problem exactly follows each AOL 8.0 and 9.0 client as it is running on a machine (by watching the MAC). Sonicwall is getting confused because AOL uses a HUGE range of addresses within the same message. AOL's idea of a subnet is everything 172.1xx.xxx.xxx which gets the sonicwall all upset. I sent a question to Sonicwall how to fix but I don't have support any more so they told me to get lost.

For now, I just wrote an email filter to toss all IP spoof alerts with 172.1xx.xxx.xxx as the IP. Pretty lousy solution, but I don't know what else to do.
 
Upvote 0 Downvote
this error is caused by the script given by the aol client that forces either ppp or ethernet to be used. if you look in the network settings you will see the "aol adapters" that are the only adapters that are allowed to give a dhcp request.
 
Upvote 0 Downvote
AOL has a mega-farm of web proxies. The IP addresses egressing from your LAN are the IP of AOL's proxy server. Not really a problem other than the false report of IP spoofs.

I'm thinking of forcing all users to get rid of the AOL client and just access AOL over our Internet connection. People will probably shoot me if I take away their dear AOL client interface.

One more thing:
I've also been running into an unusual number of TCP FIN scans too. Though no quantities like the IP spoof alerts, I'm real tired of them too. I noticed the FIN scans and IP spoofs went away for a week when our two major AOL client users were out of the office - that's what made me finally chase this down.

Anybody else noticed FIN scans with the IP spoofs???

I'm getting real wary of the AOL client now.
 
Upvote 0 Downvote
the spoofing alert is just the disallowed adapters making the requests and having it denied. This is gow Aol ensures it's customers that they can always connect.. the settings are enforced @ start-up and if you remove the Aol adapters and reboot they will be right back.. i ran into this alot with our customers going from Aol dial-up to broadband... the ethernet devices would always get a 169... or they had a network bridge
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

robocat
  • Locked
  • Question
Yet another TCP RST flag problem
Replies
0
Views
138
robocat
robocat
CryptoTuke
  • Locked
  • Question
Maximum buffer size on Winsock for sending one block of data over TCP / IP
Replies
1
Views
193
maybeimaleo
maybeimaleo
jmarkus
  • Locked
  • Question
Can I have a different private IP address which isn't on my router's subnet?
Replies
6
Views
160
sbcsu
sbcsu
Demon Monkey
  • Locked
  • Question
Whitelisting varying IP address?
Replies
2
Views
144
SamBones
SamBones
uuunnniiixxx
  • Locked
  • Question
Fieldbus vs TCP/IP
Replies
2
Views
152
meneerB
meneerB

Part and Inventory Search

Sponsor

Back
Top