Spoofing NetB: Port 137 from invalid IPs

[ReddLefty]

Setup: Server Windows 2000 in my LAN and another in my DMZ.

Let's call them LAN1 and DMZ1 to distinguish them.

My firewall sends me messages whenever suspicious activity is noticed, namely: Spoofing. Oddly enough, there is nothing blocked between my DMZ and my LAN. All ports are open between them.

Every 15 minutes or so, during business hours mostly (because of network activity, I'm guessing), I recieve a message from my firewall stating the following:

IP spoof detected - Source:192.168.123.143, 137, DMZ - Destination:10.0.0.9, 137, LAN MAC: 00 04 9B 7E 42 3E

This looks legitimate, but the problem is that 192.168.123.143 does not exist. The MAC address is the LAN NIC for LAN1 I've only got the one machine in the DMZ (DMZ1) and it's in the ranges of 192.168.0.x (mask:255.255.255.0). The spoofing is on port 137 which suggests that it's a NETBIOS Name Service request, but how does a broadcast get spoofed from an address that does not exist? There is no signs of malicious activity. The Computer Browser service on DMZ1 is Disabled.

LAN1 is an Active Directory server.
DMZ1 is a member server only. (No AD). It also serves as a VPN access point which gives out 192.168.0.100 to 200 addresses.

I've tried disabling NetBios over TCP/IP on DMZ1 but no change.

I sometimes get this error when some VPN clients are online, but the spoof will come from a VPN address (192.168.0.101 as for example), which makes more sense since they can be trying to browse the network.

I always get the following three IPs that the spoofs originate from: 192.168.123.143, 192.168.8.18, 192.168.1.147. This last one is in the VPN range, but there is never more than 5 people online at once so it never makes it to .147

Extra info: I get report of spoofing on port 123 (Network Time Protocol) from 192.168.8.18 sometimes also.

I can understand that they can be detected as malicious activity (spoofing), but it's the IP's that don't make sense.

Any clues to how these IPs are being produced?




"In space, nobody can hear you click..."

 

[ReddLefty]

Small correction, 192.168.1.147 is NOT in my VPN range, so it's another unknown IP....




"In space, nobody can hear you click..."

 

[TechyLike]

"Could" be a tricky hacker or someone trying to hack, they could be spoofing the IP address too......

Strange its every 15 minutes, sounds like a service polling for something.... I think Im as confused as you are!

 

[ReddLefty]

It's not necessarily exactly every 15 minutes. It just seems to come more often during the working hours. Spoofing for the firewall may be X amount of requests within X amount of minutes and the condition is filled in about 15 minutes.

If it was a hacker, I would think that it would set off WAN to DMZ also.... but you never know...




"In space, nobody can hear you click..."

 

[TechyLike]

Yeah I suppose your right about the hacker thing. I will be interested to find out the fix on this one...

 

[ReddLefty]

Ok, I've now confirmed that only when someone is on the VPN that this spoof seems to occur. Could it be that the IP that is being seen is the IP on the client machine?

I have a user logged in with IP 192.168.0.104 and the spoof is coming from 192.168.1.144 .. once again, 1.144 is not in my local subnet as the mask is 255.255.255.0 .






"In space, nobody can hear you click..."

 

[routerripper]

1.ping the address 2.do a trace. 3.get a packet sniffer and watch the communication between nodes. this process will show you exactly where the spoof is coming from. I recommend etherpeekNX for the sniffer. You can find it at wildpacket.com After you determine the communication process, then you can apply a fix. I'm interested in what you find. plase let me know how you do. Just guessing looks like ip sweeping.

 

[ReddLefty]

Well, I already tried most of your ideas:

Ping - no answer
TRACE, no better if can't ping

I can try sniffing packets, but I'm not sure it's worth all that effort. It's obviously something my firewall seems to be detecting coming from Windows, but is not that critical, since the source is definatly the VPN client that is logged on. I was kinda hoping someone had an inside Microsoft or networking secret to share with us.. something that is not known as well.

It's almost like the NETBIOS broadcast is done on another IP for the time it needs to, then the IP is no longer necessary. A bit like a one-way broadcast. It is always the same IP during the whole session. I will watch it, cause I may even be able to create a resolution table with it, since it seems to always be the same IPs that come back spoofing, depending on which IP was given to the VPN client.

I will keep the thread informed.




"In space, nobody can hear you click..."