Rob.Tech: Mystery of the Spoofing Packets

December 10, 2003

Mystery of the Spoofing Packets

So, for a while now I've been getting e-mail like this from my Sonicwall firewall:

From:
Date: Wed Dec 10, 2003 1:50:19 PM America/New_York
To:
Subject: *** Alert from SonicWALL *** [0040100CF2DA]

12/10/2003 13:48:54.672 - IP spoof detected - Source:172.208.217.243, 138, LAN - Destination:172.208.255.255, 138, WAN - MAC address: 00.30.65.A9.15.36 -

I had always assumed that it coincided with times when I ran the AOL client on my G4 Cube.

Today I realized that it was sending messages when I wasn't using the computer.

Puzzled, I ran "netstat -W" and found these:
udp4 0 0 acd0d9f3.ipt.aol.com.netbios-dgm *.*
udp4 0 0 acd0d9f3.ipt.aol.com.netbios-ns *.*

And of course, acd0d9f3.ipt.aol.com is 172.208.217.243 according to nslookup. So, why do I have this connection running from my machine to the universe ? What app has that connection ?

[paris:~/Desktop/Web Downloads] rob% lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
iCal 430 rob 11u inet 0x03309a4c 0t0 TCP localhost:55578->localhost:ipp (CLOSE_WAIT)
iCal 430 rob 14u inet 0x02c737bc 0t0 TCP localhost:55557->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 14u inet 0x03321a2c 0t0 TCP localhost:57864->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 23u inet 0x033094ec 0t0 TCP localhost:57854->localhost:ipp (CLOSE_WAIT)
Safari 1559 rob 28u inet 0x033101dc 0t0 TCP paris.balboa1321.bogus:59959->216.239.37.99:http (ESTABLISHED)
Safari 1559 rob 38u inet 0x02c73a6c 0t0 TCP paris.balboa1321.bogus:59960->nurse.csi.cam.ac.uk:http (CLOSE_WAIT)
Mail 2672 rob 9u inet 0x033084cc 0t0 TCP paris.balboa1321.bogus:59396->montauk.balboa1321.bogus:imaps (ESTABLISHED)
Mail 2672 rob 12u inet 0x032c1a0c 0t0 TCP paris.balboa1321.bogus:58072->montauk.balboa1321.bogus:imaps (ESTABLISHED)
Mail 2672 rob 16u inet 0x033214cc 0t0 TCP paris.balboa1321.bogus:57884->montauk.balboa1321.bogus:imaps (CLOSE_WAIT)
Mail 2672 rob 17u inet 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE
Mail 2672 rob 18u inet 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE
Mail 2672 rob 19u inet 0x0331073c 0t0 TCP paris.balboa1321.bogus:59835->montauk.balboa1321.bogus:imaps (ESTABLISHED)
ssh 3648 rob 3u inet 0x0330923c 0t0 TCP paris.balboa1321.bogus:59769->montauk.balboa1321.bogus:ssh (ESTABLISHED)

I'm pretty confused at this point. I tried killing processes until I could get the netstat to show that the AOL netbios ports were gone. They seemed to go away when I killed nmbd. I thought that maybe somehow they were being created when I ran AOL client like AOL itself or an AIM client like iChat, but I just tried that and the connections were not recreated.

Mysterious...

Posted by rob at December 10, 2003 02:58 PM

Comments

Ok, it seems like there are some cases when AOL dies but leaves pppd running. If the pppd is running, you see an interface with "ifconfig" and you can see nmbd listening on ports when you do "netstat -W | grep aol".

Simplest thing to do is to find the offending pppd connections and "sudo kill -TERM pids"

Posted by: rob at December 21, 2003 02:05 PM