I try to do network work for a small financial company. I reformatted everything with a circuit board after a string of 'impossible' problems - Workgroups switched to Domains overnight, Internet was half blocked on different machines, Outlook accounts switched permissions.
The whole thing was back up three weeks ago. Last week, complaints started coming back in about odd-ball Internet connections again. Fearing the worst, I ran firewall reports and logs and Keystroke reports (shame on me, but I had to know if the client was responsible).
Turns out, one office-mate keeps quietly hooking up a D-Link WAP (DI-624). The office is in a building of other, near offices. The D-Link router used for the office (DI-604) reported this sort of thing:
Jun/22/2005 DHCP lease IP 192.168.0.102 to DI-624 08-00-46-CB-E5-B7
Jun/22/2005 Target IP (255.255.255.255) Target Port (67) Packet Dropped
Jun/22/2005 Spoof IP (0.0.0.0.) Spoof Port (68)
Jun/22/2005 Spoof Attack fromd [sic] MAC (08-00-46-CB-E5-B7) Detect.
This happens +/- FIFTY more times in the next eight minutes, then all is quiet (I created this log an hour an a half later). I showed this log to the boss to illustrate that I wasn't a complete incompentent (he just knows that things should work) and I had words with the WAP/noWEP chump who invited trouble. I got a shrug from him.
It's still going to be a thankless office, but it's a financial office - Department of Homeland Security requires that such offices share events like this, heaven forbid, someone got account numbers, etc. I'm just getting the drift of packet sniffing and spoofing and all this, so my question is, based on the above, is this logged attack indicative of something mundane, or something more malicious and intentional? Was someone actually targetting the financial office when WAP/noWEP was available?
All 20 pages of that DI-604 log repeat the same thing with subtle variation; there was no even spread or pattern between spoofing/targeting Ports 68 and 67.