Hi aki,

The interesting thing is that the spoofing computer appears to be in my LAN because it's accessing the firewall through the internal interface. I did a packet sniff using wireshark on "ip.src == 10.230.0.63" and got the ethernet address, then did another scan with the expression "ethernet.src == wh.at.i.got" and I got different LAN IP addresses... do I have a botnet or what?? The ethernet address is for a 3Com device. I have 3Com switches in my LAN. But 3Com switches aren't configured with IP addresses etc... unless 3COM themselves hardwired the configurations onto the devices... Anyway, my investigations continue on Monday.

Let me know what you think.


Me.

On 14 May 2010 20:38, aki <aki275@googlemail.com> wrote:
@Simon, incase you are wondering how I picked up the ipspoof quickly,
I ran into such a situation a few years ago and it took me some hours
to figure out what was happening including setting up an packet
analysis. Since then if I ever setup a network, all reserved subnets
on public wan are blocked.

@Wash, sawa point taken. :-) just wanted to let others on the list
contribute because there was a recent stage where listers were not
okay with content discussed. But I always try and catchup on mails
that need attention. Sorry did not respond to your subnet question but
others had already responded well.




On Fri, May 14, 2010 at 2:53 PM, Odhiambo Washington <odhiambo@gmail.com> wrote:

> Even from the grave, Aki, you cannot afford to miss the list for a month:)
> And you always chip in at the needed moment. Hizi siasa za hibernate achana
> nayo!!!
> --
_______________________________________________
Skunkworks mailing list
Skunkworks@lists.my.co.ke
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------
Skunkworks Server donations spreadsheet
http://spreadsheets.google.com/ccc?key=0AopdHkqSqKL-dHlQVTMxU1VBdU1BSWJxdy1fbjAwOUE&hl=en
------------
Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke