[mfugi]

Hi,
I recently set my advanced firewall settings in Mac OS x 10.4.10 to block UDP traffic and enable stealth mode. I also enabled firewall logging. I have countless... '"ipfw: 35000 Deny UDP 192.xxx.x.x 239.xxx.xxx.xxx:1900 in via en1" and "Stealth Mode connection attempt to TCP xxx.xxx.x.xxx:51757 from xxx.xxx.xxx" entries. So, my curiosity got the better of me and I did a Network Utility traceroute on one; 206.191.161.8:80 and...
Traceroute has started ...
traceroute to 206.191.161.8 (206.191.161.8), 64 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 2.513 ms 2.000 ms 2.110 ms
2
3 241.230.95.24.cfl.res.rr.com (24.95.230.241) 16.519 ms 14.959 ms 14.250 ms
4 145.228.95.24.cfl.res.rr.com (24.95.228.145) 15.076 ms 13.378 ms 24.318 ms
5 198.228.95.24.cfl.res.rr.com (24.95.228.198) 11.595 ms 14.625 ms 12.949 ms
6 te-3-1.car1.orlando1.level3.net (4.79.116.137) 11.851 ms te-3-3.car1.orlando1.level3.net (4.79.116.145) 13.673 ms 14.928 ms
7 ae-6-6.ebr1.atlanta2.level3.net (4.69.133.78) 29.411 ms 29.640 ms 22.011 ms
8 ae-68.ebr3.atlanta2.level3.net (4.69.134.50) 29.997 ms 30.093 ms 36.025 ms
9 ae-2.ebr1.washington1.level3.net (4.69.132.86) 36.167 ms 37.090 ms 38.620 ms
10 ae-61-61.csw1.washington1.level3.net (4.69.134.130) 36.738 ms 35.981 ms 36.511 ms
11 ae-13-69.car3.washington1.level3.net (4.68.17.5) 40.059 ms 37.027 ms 37.343 ms
12 xe-7-2.r04.asbnva01.us.bb.gin.ntt.net (129.250.9.113) 38.604 ms 84.866 ms
13 ae-1.r21.asbnva01.us.bb.gin.ntt.net (129.250.2.180) 38.829 ms 35.607 ms 37.000 ms
14 as-0.r21.nycmny01.us.bb.gin.ntt.net (129.250.2.8) 42.188 ms 44.456 ms 42.073 ms
15 ae-0.r20.nycmny01.us.bb.gin.ntt.net (129.250.2.25) 42.760 ms 41.618 ms 42.183 ms
16 as-2.r21.sttlwa01.us.bb.gin.ntt.net (129.250.3.190) 103.227 ms 100.502 ms 102.103 ms
17 po-3.r00.sttlwa01.us.bb.gin.ntt.net (129.250.4.178) 101.830 ms 102.983 ms 122.407 ms
18 ge-1-13.r00.sttlwa01.us.ce.gin.ntt.net (198.104.203.86) 103.615 ms 103.010 ms 103.247 ms
19 border25s.ge1-1-bbnet1.sea.pnap.net (206.253.192.162) 104.066 ms 102.619 ms 101.552 ms
20 revenuesci-3.border25s.sea.pnap.net (206.191.144.34) 104.054 ms 100.538 ms 101.709 ms
21 206.191.161.8 (206.191.161.8) 105.561 ms 102.272 ms 102.042 ms
It seems the originating IP belongs to Visual Sciences web page
Now what is a company that provides "solutions for...the intelligence community" trying to access my ports? O.k., maybe I'm doing something incorrectly or my paranoia is getting the better of me. But, I'm relatively new to the mac and would like to know if these log entries are normal? Is there any software for the mac that could give me more info or even scan my system for open ports?
Thanks for your help,
fugi

[Mark_Schneider]

This is more than likely a spoofed address...
One thing you cannot due is fire back... especially being you don't know if it is a spoofed address (I must say it likely is)... if you think your neighbor is throwing rocks at your front door, should you really start throwing rocks at his??? only to find out when the police come to arrest your for your crime, that there was a kid down the street doing it to your door.
With regards to your issue...
spoofed IP DoS attacks are getting to be more and more common... The worst are the ever popular DDoS... The fact is your mac is secure (provided BSD/OSX firewall is active, and denial of UDP packets is in place) unfortunaely you might not be getting any bandwidth... Notice stealth mode is useless as an nmap -P0 seems to do the damage anway...
The solution???
renew your IP or have a decent router that will allow you to easily switch IP's...
The other thing I did on my windows machine being my Provider doesn't like to supply me with new IP's unless the lease is actually expired, is spoof a mac address change, then release/renew the IP... works everytime.... Although the legality of this is questionable at best (so be careful who/what is being spoofed)...
Bottom line... change IP's continually, as spoofed DoS attacks are, without thousands of dollars in Cisco equipment, a common occurrence.

[Mark_Schneider]

I SHOULD MENTION THE ABOVE AND BELOW ONLY APPLIES TO NON_STATIC IP ALLOCATION... I assume that is what you have... Also if on a router, resetting the IP's at the router level will be required.
I should mention... if the mac adress spoof is done... it needs to be temporary so write your old address down.... Also in several jurisdictions this may be unlawful, as it can prevent authorities from keeping good records, of your machines whereabouts... Also spoofing federal computers architectures / mac address posses an obvious problem... another unlawful thing to do is spoof an ISP server to uncap a modem, although this often is useless given the firmware of your modem is intact and original.. BOTTOM LINE BECAREFUL WHO IS SPOOFED, a safe bet is to change the last char from e to f or such....
I spoof for a day or two if needed, just long enough for my ISP to release my old IP to someone else, then I convert my mac address back to original... being my old address was released to an unsuspecting customer... I am isued a new one.. Somtimes the new address is worse for attacks, so I need to continually retry..
ABSOLUTELY MAKE SURE YOU KEEP YOUR OLD MAC ADDRESS ON FILE, AND RESORT BACK TO THEM... Check with local laws to ensure what you are doing is legal as well. I can assure you spoofing a federal computer or an ISP server will terminate your service agreement HAHA
I have also read unconfirmed reports that itunes servers use Mac Address identification... so there goes the playability of your purchased music, until your old mac ADDRESS is recovered... I have not confirmed this however.
Or do what most do, wait for your IP to change (assuming dynamic allocation), although ISP are often reluctant to do so especially under request.
all the best
mark

[bcrossb]

i would be interested in a link to some reading on spoofing a mac address on my imac. thx