Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: MAC Attack


15 Apr 2010   #1

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 
MAC Attack

No I'm not hungry, it's just the the firewall popped an alert that it had blocked an attack by something using the same MAC address of my primary rig, and since I have the wireless disabled, I can only imagine that this must have come from the internet.

I have seen a number of attacks blocked before, but never one such as this. It is possible that this was due to the fact that I just connected a different wireless telephone, but it works on 5.8MHz, instead of 2.4MHz like my router, so that doesn't seem to be a likely source. Is it possible that someone on the internet could be trying to hack my computer by imitating the MAC. If I understand, the MAC isn't broadcast on the internet...is it?

My System SpecsSystem Spec
.

15 Apr 2010   #2

Windows 7 Ultimate 32 bit
 
 

Did you look at your firewall log to see who initiated the attack?
My System SpecsSystem Spec
15 Apr 2010   #3

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

Not until you asked. There are so many logs in my firewall, I'm not sure which to look at, but it appears from the mac.log that this is the entry in question:

Quote:
2010/04/15 12:38:06 recv xx-xx-xx-xx-xx-xx -> ff-ff-ff-ff-ff-ff block by 00000000 ARP:block
2010/04/15 12:38:06 recv xx-xx-xx-xx-xx-xx -> ff-ff-ff-ff-ff-ff block by 00000000 ARP:block
The problem is that I don't know how to interpet it...do you? I probably shouldn't have pasted it, since it contains the MAC address, but I guess that I can change it.

EDIT: I Decided to x out the numbers. However, the first set I didn't recognize, the second set were from my computer.
My System SpecsSystem Spec
.


15 Apr 2010   #4

Windows 7 x64 pro/ Windows 7 x86 Pro/ XP SP3 x86
 
 

MAC address spoofing is normally associated with wireless networks, with hackers using tools like wireshark to sniff network packets. With wired networks, like yours, one needs physical connection to the machine to access network traffic and presumably that can be controlled by the owner of the network.

Every ethernet card is theoretically assigned a unique MAC address. But really speaking, theres nothing to guarantee such uniqueness for 2 reasons:

1) Manufacturers may or may not ensure that they are unique.
2) MAC addresses can be set manually in many network interfaces.

The MAC address is used by the network to identify which piece of hardware a packet is to be sent to. So it's used only on connections from one piece of networking equipment to the next. When information leaves your computer it has your computer's MAC address, but when it leaves your router, that address is replaced by the MAC address of your router. Then when it leaves the ISPs router, it contains the MAC address of the ISPs router. So, no, the MAC address of your rigs does not travel very far.
My System SpecsSystem Spec
15 Apr 2010   #5

Windows 7 Ultimate 32 bit
 
 

I can't interpret this one. It doesn't appear to list the source of the attack.

Quote:
222.45.112.59 Not available TCP port scan detected, packet dropped
This lists the source and I can look it up via whois.
My System SpecsSystem Spec
15 Apr 2010   #6

Windows 7 Ultimate 32 bit
 
 

Here is another sample from my firewall log/

Quote:
66.228.119.250 fcp01.dal01.softlayer.com UDP port scan detected, packet dropped
My System SpecsSystem Spec
15 Apr 2010   #7
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Quote   Quote: Originally Posted by CarlTR6 View Post
I can't interpret this one. It doesn't appear to list the source of the attack.

Quote:
222.45.112.59 Not available TCP port scan detected, packet dropped
This lists the source and I can look it up via whois.
Quote:
IP Information for 222.45.112.59

IP Location: China Beijing Kunde Htech Ltd Co IP Address: 222.45.112.59


inetnum: 222.45.0.0 - 222.45.255.255
netname: HTECH
descr: Kunde Htech Ltd Co
descr: 11 Yanan Road No398,Hangzhou,Zhejiang,china
country: CN
admin-c: JX966-AP
tech-c: YF484-AP
status: ASSIGNED NON-PORTABLE
changed: 20081215
mnt-by: MAINT-CNNIC-AP
mnt-routes: MAINT-CNCGROUP-RR
source: APNIC

route: 222.32.0.0/11
descr: China TieTong Telecommunications Corporation
country: CN
origin: AS9394
mnt-by: MAINT-CNNIC-AP
changed: 20090908
source: APNIC




My System SpecsSystem Spec
15 Apr 2010   #8

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

Quote   Quote: Originally Posted by Bill2 View Post
MAC address spoofing is normally associated with wireless networks, with hackers using tools like wireshark to sniff network packets. With wired networks, like yours, one needs physical connection to the machine to access network traffic and presumably that can be controlled by the owner of the network.

Every ethernet card is theoretically assigned a unique MAC address. But really speaking, theres nothing to guarantee such uniqueness for 2 reasons:

1) Manufacturers may or may not ensure that they are unique.
2) MAC addresses can be set manually in many network interfaces.

The MAC address is used by the network to identify which piece of hardware a packet is to be sent to. So it's used only on connections from one piece of networking equipment to the next. When information leaves your computer it has your computer's MAC address, but when it leaves your router, that address is replaced by the MAC address of your router. Then when it leaves the ISPs router, it contains the MAC address of the ISPs router. So, no, the MAC address of your rigs does not travel very far.
So, what am I to conclude? That the alert was just a fluke?
My System SpecsSystem Spec
15 Apr 2010   #9

W7x64 Pro, SuSe 12.1/** W7 x64 Pro, XP MCE
 
 

Quote   Quote: Originally Posted by CarlTR6 View Post
I can't interpret this one. It doesn't appear to list the source of the attack.

Quote:
222.45.112.59 Not available TCP port scan detected, packet dropped
This lists the source and I can look it up via whois.
That is an IP address, rather than a MAC address. I know how to track an IP, but not a MAC...can that be done?
My System SpecsSystem Spec
15 Apr 2010   #10

Windows 7 Ultimate 32 bit
 
 

I would treat it as a fluke and closely watch for a reoccurrence. I do not know very much about MAC addresses except as they apply to my router and network.
My System SpecsSystem Spec
Reply

 MAC Attack




Thread Tools



Similar help and support threads for2: MAC Attack
Thread Forum
DDoS Attack, Changed IPs Still Under Attack System Security
BF3 under attack Gaming
Possible Zero-Day Attack Today. Security News
Solved Am I under attack? System Security
Virus attack or what??? Please help me System Security
New SSL attack. Security News

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:01 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33